Lessons From the Largest Software Supply Chain Incidents

COMMENTARY

In 2011, Marc Andreessen coined a phrase we're now all familiar with: "Software is eating the world." More than 13 years later, the expression still rings true. The world runs on software, and each day it continues to transform industries and fuel the global economy. Companies are generating more software — faster than ever before — in order to keep up in today's dynamic and ultracompetitive business landscape.

Innovation is a beautiful thing, but the increased volume and velocity with which software is being built and delivered creates more opportunities for something to go wrong in the software supply chain. Over the past decade, we've seen this happen time and time again.

Around this time last year, Okta disclosed that it had experienced a significant security breach, where bad actors gained access to private customer data through its support management system, highlighting the dangers of third-party risk. In 2020, the SolarWinds platform update mechanism was compromised and used to send malicious software that impacted more than 18,000 of its customers. And back in 2017, Equifax suffered a massive breach due to a failure to patch a known security flaw in its software.

This is just a small sampling of the types of software supply chain attacks that have plagued organizations over the past decade. Unfortunately, these attacks show no signs of slowing down — quite the opposite, actually.

Research indicates software supply chain attacks are occurring at a rate of one successful attack every two days, and Gartner predicts that by 2025, 45% of organizations will have experienced a software supply chain attack. Alarmingly, one report found that there has been a staggering 742% increase in these attacks over the past three years.

The uptick in software supply chain attacks can be attributed to a combination of several factors. Often, organizations simply don't realize the breadth of their exposure. As software shops move toward more sophisticated software delivery and consumption models (e.g., continuous integration/continuous delivery [CI/CD] and cloud), their supply chains become more vulnerable. Additionally, typical attack vectors have become increasingly difficult to exploit (thanks to vendors incorporating more sophisticated security measures into platforms and software), which has forced bad actors to uncover new vulnerabilities and become more creative in their attacks. More recently, the spike in adoption of generative AI (GenAI) tools like coding assistants has created new and difficult-to-monitor security gaps. At the same time, attackers are leveraging GenAI themselves to carry out more sophisticated attacks at a higher volume.

Enterprises must urgently find a balance between creating and releasing high-quality software quickly, while upholding a high level of security at each link in the software supply chain.

Here's how they can maintain security without impeding innovation:

Thoroughly Vet Vendors on an Ongoing Basis (and Treat GenAI Tools With the Same Level of Scrutiny)

If anything can be learned from Okta's breach, it's that third-party vendors must be carefully vetted if they're to be trusted with private customer data and other sensitive information. Too often, development shops assume that the third-party code they consume is a black box.

Organizations need to look at each vendor's software bill of materials (SBOMs) so they're aware of any open source or third-party components of their code and can therefore identify possible vulnerabilities. They should also assess the vendor's track record for security and review its policies, procedures, and certifications.

Vetting vendors shouldn't be a box the organization checks at the beginning of their engagement and then forgets about. The vetting process must be ongoing: Organizations should continually be asking questions and keeping a pulse on the vendor's new offerings, policies, compliance certifications, and more.

Of note, GenAI tools should be subjected to the same level of scrutiny as third-party vendors. Organizations need visibility into how the large language model (LLM) works, what data it was trained on, whether the model is open or closed, and how user inputs and generated content are collected and used. They'll also need to assess the accuracy and quality of the code the LLM generates, as well as have a plan in place to mitigate any inaccurate or buggy code it produces.

Consume Open Source Projects Carefully

Open source projects are critical for rapid development and innovation, but organizations need to be very careful about how they consume open source code. Last year alone, researchers found 245,032 malicious packages in open source projects available for public download. Open source repositories are a prime target for bad actors, who can wreak havoc by attacking a single package that, in turn, impacts an entire ecosystem of companies and their customers.

Organizations should use code only from open source projects that adhere to strict compliance frameworks, such as the OpenSSF Scorecard, System Package Data Exchange (SPDX), and OpenVEX. This ensures they have visibility into the security hygiene of the project before they borrow its code. Additionally, organizations should adopt a software composition analysis (SCA) solution and have a plan in place to address any open source vulnerabilities, should they emerge.

Evaluate the Security of Your Entire Software Delivery Process

There's no silver bullet for securing the software supply chain. Organizations must diligently evaluate the security of each step of the software delivery process — including design, development, testing, deployment, maintenance, and beyond.

By infusing security measures throughout the CI/CD pipeline, companies can identify and remediate vulnerabilities early in the development process so they don't lead to a full-blown breach down the line. They can accomplish this through automated security solutions that flag potential issues and source composition analysis (SCA) tools that scan code for known vulnerabilities, and by implementing source code access controls to prevent unauthorized access.

The security cat-and-mouse game is never over. As the industry works diligently to expand its knowledge and strengthen security, attackers are just as hard at work planning and carrying out nefarious activities. The software supply chain is a growing target, and organizations need to take special care to safeguard it. By carefully vetting vendors, mindfully consuming open source, and securing the entire software delivery process, organizations can strike a balance between driving innovation and maintaining software supply chain security.