10 Steps to Take Now to Reduce Supply Chain Risks

Open-source software has been a godsend for the development community. They bring lower development costs, faster application delivery, and greater flexibility; it’s no wonder nearly 90% of modern applications comprise third-party software nowadays. 
That’s not to say open-source software doesn’t come with its share of pitfalls, including security risks and vulnerabilities. Its popularity might explain why software supply chain attacks increased 742% year-on-year between 2019 and 2022.

In such a setup, the only course of action is to minimize supply chain risks. This article discusses how third-party code weakens security posture and lists 10 preventive measures to reduce the threat.

Supply chain attack trends: Should you be worried?

Feeding open-source code to your application opens it up to threats like injecting malicious packages into the codebase, security vulnerabilities, and licensing complications. The vulnerabilities of open-source code allow a hacker to exploit the gaps since they are rarely built from a security standpoint.

A cyberattack where an organization is attacked through vulnerabilities in its supply chain is known as Supply Chain Attack.

Supply chain attacks work in a domino style. Poor security governance on the vendor’s side is the first piece that can trigger a chain of events leading to a disastrous breach. It leads to vulnerabilities in open-source code. When you use this component within your application, an attacker can breach your and your client’s systems.

The 2020 SolarWinds attack is a classic example. Its ‘Orion’ platform had a supply chain threat injected into it, which was exploited, and 18,000 customer systems were breached. This malicious code cost American businesses and government agencies $100 billion.

Despite the growth of such attacks, IT leaders are increasing their usage of open-source software by 80%. According to Gartner 2022 studies, nearly 45% of companies across the globe will fall victim to software supply attacks.

Some of the latest critical supply chain attack trends include:

• Third-party code or components often come with Known Vulnerabilities, which could be publicly tracked through a Common Vulnerabilities & Exposure (CVE) list. Mitigate this issue through Software Component Analysis, which reviews the SBOM of open-source software and highlights the vulnerabilities.
• Unknown Vulnerabilities pose a more significant threat because it might take years to realize a security gap that can be exploited. It could be poor encryption, memory corruption, or logical flaw. Such threats are often known as Zero-day Issues because of the immediate response it demands. 
• Executing a supply chain attack doesn’t just take a bad line of code. Sometimes Non-Code Issues like encryption, misconfiguration, and poor secrets management can also be a threat. In the case of SolarWinds, the attack was initiated by exposing passwords on a public GitHub server. This allowed attackers to inject malicious code into Orion.
• Injecting Malicious Code into vulnerable libraries or repositories can enable attackers to get backdoor access. You need to identify and eliminate such corrupted lines of code before your application goes for deployment. 

While these are the critical attack trends that hostile actors employ, you must also be aware of the common vulnerabilities that are likely in your system. If not addressed in time, they prove detrimental.

Common vulnerabilities and attack vectors

Some of the most common vulnerabilities that most developers struggle with to ensure absolute security are:

• Third-party dependencies through commercial or open-source frameworks & libraries
• Easy access to the software environment through the public-facing distribution system
• Public repositories of code that are equally open to hackers
• The impotence of code signing because of stolen keys or expired certificates

10 steps developers should take now to reduce supply chain risks

Most development teams overlook the significance of having a strong secrets management policy when writing code. Here are a few techniques to spot security gaps in your code and other misconfigurations.

1. Identify and map the software components and dependencies

Today, developers use a combination of open-source and third-party with their own code. In such a scenario, setting up a robust third-party or vendor risk management system is important. It explains the third-party landscape: what components are used, their access privileges, and security measures against them. 

Best practices include:

• Classifying vendors based on priority and criticality and also setting benchmarks for access to data they will have
• Automating operations to ensure consistency and repeatability of implementing governance policies
• Having a robust risk evaluation process in place when selecting a vendor

2. Monitor software dependencies for vulnerabilities and apply security patches

When crowdsourcing code to an open-source community, it is possible to inherit the vulnerabilities through third-party dependencies. Using dependencies with vulnerabilities has been listed in the Top 10 security risks by OWASP. To manage this situation, put an efficient monitoring practice in place. While the market is flooded with tools to help identify and fix such challenges, pick the one that suits your specific purpose.

Vendors often release patches for known vulnerabilities to eliminate the security risk in their codebase. Automate patch management to keep track of missing patches and deploy patches to the software.

3. Use only trusted sources for software components

Since open-source software is free and widely available, hackers can easily access these third-party packages, look for vulnerabilities and exploit them. So, when using an external code for your application, do your due diligence before adding these components and giving them access to your sensitive data.

Some of the parameters for assessing a vendor or open-source community are:

• Service History
• Credibility
• Certifications
• Regulatory compliances
• Market reputation

4. Implement strong access controls, authentication, and authorization

The primary target of any cybersecurity attack is to access confidential information and resources, which makes securing this data of utmost importance. Achieve this through several frameworks for implementing a solid authorization and authentication practice.

Establishing Identity Access Management (IAM) best practices for developers will allow you to monitor all the user accounts and minimize risk exposure efficiently.

Adding layered security measures through Two-Factor Authentication makes it difficult for hackers to reach sensitive data. In addition to the password, you can have real-time authentication through SMS or other code-generation apps.

PAM (Privileged Access Management) is another monitoring framework to monitor accounts accessing critical business information. It is slightly more nuanced than IAM, focusing solely on accounts that access privileged information. 

Zero-Trust Authentication is a practice where every request is dealt with suspicion, and a thorough authentication process is followed.

5. Regularly conduct security testing and vulnerability assessments 

Discovering vulnerabilities before they cause damage is key to securing your application from supply chain risks. You can do this only by running multiple tests and assessments across the different stages of the software development process. To detect vulnerabilities, you can run tests, including:

• SAST (Static application security testing) – A white box testing framework that evaluates your application from the inside out.
• DAST (Dynamic application security testing) – A black box testing framework that evaluates your application from the outside. 

6. Implement code signing and verification to ensure code authenticity 

You can ensure that any deviations or changes in your codebase are flagged by implementing digital signatures for your software components. This process of assigning digital signatures is known as Code Signing. It validates the authenticity of your source code, guaranteeing no vulnerabilities go unnoticed.

7. Implement secure coding practices and regularly train developers on secure coding principles

Employees are a vital defense against any cybersecurity threat. The onus is on the enterprise to define and enforce strict coding practices. It introduces consistency across the development practice and ensures that standard data protection and security policies are implemented across the organization. Employers can also automate policy enforcement to improve the overall security posture.

Conduct cybercrime awareness training for your employees to prevent creative attacks like phishing, clickjacking, and social engineering attacks.

8. Establish SDLC processes that include security requirements, testing, and risk assessments

With security moving upwards on the enterprise priority list, DevOps evolved into DevSecOps, where security is a part of every stage of the SDLC process. It is a framework that can identify and eliminate threats through adequate dependency visibility so everyone knows the dependencies and associated vulnerabilities. Here are some ways to achieve the same:

• Implementation of SAST & DAST testing in the development process
• Scanning of code to sanitize it of vulnerabilities before committing the code
• Automating security, monitoring, and alerting mechanisms using AI/ML tools
• Increased focus on secrets management for multi-cloud applications

9. Consider using SCA tools to detect and manage software dependencies

Using SCA tools is a powerful way of identifying what you are harmful ingredients you are adding to your software. These tools read through open source packages you used in your application and highlight all the vulnerabilities. It also goes beyond just open-source code. You can also use these tools to verify the risk appetite of Infrastructure as Code (IaC) and create SBOM.

10. Establish an incident response and disaster recovery plans

As much as it is important to have security measures in place, you must also define your incident response workflow to tackle the eventuality of an attack. The plan should include a forensic analysis of the extent of the breach and a process to bring systems back to default mode.

Don’t let supply chain risks cripple your growth

The age of security oversight has long passed. Today, it is safe to say security precedes faster software delivery. While developers can accelerate their development process through third-party code, there is still the threat of supply chain risks. As long as the dependency on open-source packages remains, enterprises must pay extra attention to avoid any backdoor access to their sensitive data.

Implementing best security practices is easier said than done. Tools like Spectral can help to protect your code. Create a free account today.