A Practical Guide to Software Supply Chain Security [10 Tips]
1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.00 out of 5)
Loading...

A Practical Guide to Software Supply Chain Security [10 Tips]

Whether you’re a software creator or software buyer, you’re vulnerable to software supply chain attacks. Here’s how you can protect your company and customers…

What would happen if a popular software (one that’s widely used across your organization and is sourced from a reputable vendor) turned out to have malicious code in it that allowed hackers to remotely access and control your employees’ machines? Unfortunately, that’s not just a hypothetical — that’s how many real-world (and costly) cyber attacks have actually happened.

Software supply chain attacks are one of the scariest types of cyber attacks because they’re carefully planned to cascade “downstream” to achieve the biggest impact possible. The idea here is that the attacker tries to compromise every person and organization using the affected software product or component.

A good example of a supply chain attack is the SUNBURST attack in 2020: hackers gained access to the build servers for SolarWinds Orion software and inserted malicious code (a backdoor that allowed the attackers to gain access into any organization that installed the Orion software). This means that organizations using the well-known, reputable software product (Orion) were unknowingly giving a sophisticated hacker group access to their systems. Thousands of organizations downloaded the malware, which resulted in security breaches at about 100 organizations including a number of high profile corporations and government agencies.

As such, software supply chain attacks are a growing concern for both software makers and software buyers:

  • NCC Group reports that supply chain attacks globally increased 51% between July and December 2021.
  • Anchore’s 2022 research shows that 62% of respondents indicate that software supply chain attacks have impacted their enterprises in the last year.
  • It only takes one line of compromised code in one piece of software you use to impact all of your customers (and more).

Knowing this, how can you protect your organization against supply chain attacks? Let’s take a look at the basics of supply chain security, then explore practical advice from eight IT and cybersecurity experts on how you can protect your organization and customers. We’ll cover important tips for both software creators and software buyers — we’ve got a little something for everybody.

Let’s hash it out.

Software Supply Chain Security 101

What Is the Software Supply Chain?

Generally speaking, the software supply chain includes everything involved in the software development lifecycle. Practically, that means anyone and anything that could contribute or modify code that’s used in a software product, including:

  • The software vendor who makes a software product, including their developers and systems.
  • Creators of any third-party components or libraries included in the software (this could include individuals, organizations, and open-source communities)
  • Distributors and other vendors who may be able to modify software before it’s delivered to customers
  • Systems or parties involved in updating software once it’s been installed on the customers’ devices.

In many cases, the supply chain for a given software product can be very extensive, because most software is built using a mixture of code developed in-house and (many different) third-party components. Some of these third-party software components are so ubiquitous that we hardly even think about them — for example, it’s estimated that there are over one trillion SQLite databases in the world because SQLite is used as a component by so many popular software products.

What Is Software Supply Chain Security? It’s How You Prevent Software Supply Chain Attacks

Software supply chain security is about preventing bad guys from using your software supply chain as an attack vector to carry out attacks on your customers. The true targets in software supply chain attacks are your customers; you and your software products are just pawns they can use to achieve their goals.

Software supply chain security is about doing everything possible to prevent bad guys from infiltrating your network and deploying harmful code within your products that will be sent to customers. It encompasses all the policies, tools, and actions you (as a software vendor, for example) use to prevent these attacks.

When there are one or more vulnerable elements in your software supply chain, then your software product and overall organization are at risk. In a broad sense, supply chain cyber security is about securing everything relating to the process of how your software is created, distributed, and supported.

In particular, software supply chain security focuses on ensuring that malicious code or known security vulnerabilities cannot be added to a software product at any point. This includes ensuring that:

  • Software developers are writing code that follows security best practices
  • Third-party components (e.g., open-source libraries) are free of malicious code or vulnerabilities
  • Your codebase is protected against unauthorized code insertions or modifications and you’re tracking all changes that are made (and who made them)
  • Systems used to build/deploy software is protected against unauthorized access or injections
  • Software is protected against modification and unauthorized additions during distribution/delivery process to customers
  • Update processes to protect customers from receiving fake updates or legitimate updates that have malicious code injected

Why Software Supply Chain Security Matters

The truth of the matter is that software supply chain security issues affect everyone. Regardless of whether you’re creating software, supplying it, or buying it from others, no one likes unpleasant surprises. And that’s precisely what you get when you create or operate software with unknown vulnerabilities. But why is implementing strong software supply chain security so important? Let’s quickly go over a few key reasons:

  • You have a professional responsibility to yourself and/or your customers. As a software creator, you have a duty to adhere to software security standards. You’re responsible for safeguarding the software products, data, and supply chain that connects you with customers.
  • You’re regulatorily required to secure your data and systems. Building on the responsibility point — you’re also typically required to do so due to industry and regional regulations (depending on where you’re geographically based or countries you do business in globally). A couple of recent related examples can be seen in the National Institute of Standards and Technology (NIST) Special Publication 218 (SP-218), NIST Secure Software Development Framework, and U.S. Executive Order (EO) 14028. This executive order aims to enhance software supply chain security regarding the use of third-party software that federal agencies purchase and use. The NIST guidelines provide information relevant for software producers as well as the software purchasers (i.e., federal agencies). 
  • Your reputation and customers’ trust are on the line. Trust matters, and once it’s broken, you may not get it back. In fact, nearly a quarter (24%) of surveyed consumers told Privitar that they’d either terminate business with companies after they’ve been breached, or they’d do less business with them in the future. As you can imagine, a data breach can have a devastating toll on your customers’ bottom lines, customer relationships, and future business opportunities. Now, imagine if they’re breached because of an issue with your software (due to its vulnerable software supply chain). As the software creator or its supplier, that would have a devasting effect on your reputation as well.
  • There’s no “re-do” button in software supply chain security. When it comes to securing your software logistics network, either you do it right or you don’t. Closing the stable door won’t do you any good if the horses already ran out. Dedicate the time and resources to secure your software supply chain from the get-go to prevent attacks from occurring.

How to Secure Your Organization’s Software Supply Chain

Most articles that talk about software supply chain security cover the topic from the perspective of software developers. And this is important, as this guide applies largely to that audience. But there are other considerations as well from the perspective of software procurers who buy the software that’s created.

Simply put:

  • If you’re a software developer: You should be implementing the following list of 10 best practices and tips.
  • If you’re a software buyer: Your goal should be to choose vendors who follow best practices like these.

1. Devote the Appropriate Resources to Securing Your Organization

Don’t be stingy when it comes to people, time, and money. Keeping your software supply chain secure should be among the highest priorities, and the reality is that accomplishing this requires a lot of resources.

Now, we’re not saying that throwing money at the problem will magically make all your security woes go away. But having a dedicated budget that’s set aside strictly for security purposes is a smart move and provides the necessary resources your organization needs to harden your defenses. This is money that can be spent in various ways, including:

  • Upgrading your firewalls and other cyber security systems (such as intrusion detection and response tools)
  • Adding skilled and knowledgeable workers to your in-house IT team
  • Investing in third-party service providers to carry out assessments and penetration testing
  • Incentivizing security-related innovations and initiatives
  • Increasing cyber awareness and best practices usage among your employees through various trainings

2. Make Security an Organization-Wide Priority for Everyone

A good application security strategy is one that encompasses all elements of your software supply chain. Jeff Williams, co-founder and chief technology officer at Contrast Security, says that achieving a secure supply chain (i.e., as secure as you can make it) boils down to knowing:

  • What code you write
  • What tools you use to develop and create software
  • How you secure your code and systems
  • Which third-party applications you buy and use

While some leaders may argue otherwise, security isn’t a siloed initiative. It’s a group effort — one that all employees (and other network users) participate in that should be led from the top of your organization. Bradley Jackson, the Director of Software Engineering here at The SSL Store, underscores this idea:

“It’s not the job of one person or a QA team to find vulnerabilities or point out flaws. It’s a team effort — from the developers, to DevOps, DBAs, marketing & bizdev, to ensure they’re not asking for functionality that can’t be done securely — all the way to the CEO to not rush a product to market at the sake of security.”

3. Understand Your Dependencies (Know What’s Going Into Your Software)

Asaf Ashkenazi, CEO of Verimatrix, points out an uncomfortable truth: you often don’t know what code is used in your software and where it was sourced from.

Whether an organization is CREATING and distributing software products, or they are just USING [third] party software, the libraries used are likely to come from different sources. Whether it is an open source library or a licensed software solution, it’s vital their organization track where these components are used to allow for fast patching in case of a discovered vulnerability or routine security updates.”

Open source repositories are great because they save time and money by not having to create code from scratch. But open source resources can also introduce vulnerabilities that, otherwise, wouldn’t exist in your software or systems. This is why Steve Judd, senior solutions architect at JetStack, by Venafi, cautions using open source repositories without first auditing and evaluating the risks associated with them:

If a threat actor does compromise a repository, they have the potential to launch a one-to-many attack, which has become the standard in supply chain attacks. Because open source repositories are used so widely by developers looking to save time and resources, popular [artifacts] could be used by thousands of companies. So injecting code into one repository could send shockwaves across multiple organizations, and potentially millions of end users. Ultimately, once the malware makes its way into an application or website, hackers can create disruption, steal data and IP, spy on users and create backdoors.”

Dan Chernov, chief technology officer at DerSecur, describes software-based businesses using the analogy of traditional brick building. In this case, he says that removing one brick from a key location can leave the integrity of a structure at risk of collapse. (Think of a brick that’s located at the top of an arch; if a key brick is missing, it can lead to failure in the overall design.) This is why it’s important to know what you’re putting into your software and to keep tabs on what you’re using and whether those elements have any known vulnerabilities:

Software vulnerabilities are the open door for hackers into the organization, inside the IT systems which process valuable data. That’s why its vitally important to check all company’s software, developed either in house or via outsourcing as well as open source components, for vulnerabilities and backdoors.

To support this, your organization needs to commit management and resources to tracking the sources of your components and implementing application security practices. It’s an initiative that Chernov says should be performed and managed by your chief information security officer (CISO).

Put a Software Bill of Materials (SBOM) to Use

Another way to help secure your supply chain is to create a software bill of materials (SBOM) for your products. If you’re a company using third-party software applications, ensure they offer SBOMs. In a nutshell, an SBOM is a list of all the various components contained within your software, web app, or device (such as libraries, tools, and plugins). This way, you know exactly what tools, code, and resources have been used to create your software artifact.

Think of an SBOM like a recipe card or ingredient list on a packaged food product. If you have a food allergy, you can look at a food product’s list of ingredients to know whether it is something safe for you to eat. If it contains something you’re allergic to, you know that eating it would be risky and could make you sick (or worse).

Likewise, knowing what elements (proprietary and outsourced) are contained within your software helps you and your customers achieve greater supply chain visibility and security. Something else that’s vital to visibility and security is knowing whose hands are in which pies.

Brian Fox, CTO of Sonatype and a member of the Open Source Security Foundation (OpenSSF), calls out the importance of SBOMs for all organizations:

SBOMs are especially important when identifying cybersecurity risks in critical application infrastructure across industries. It’s also worth noting that the U.S. government is constantly releasing new directives and best practices to secure the software supply chain to ensure the private vendors they work with provide the most secure products.

While agencies both in the U.S. and internationally may soon be required to create SBOMs to retain those government contracts, I believe organizations will quickly recognize their importance in not only cybersecurity but general software hygiene – and it will become a standard practice in any organization creating software.”

4. Practice Secure DevOps (SecDevOps or DevSecOps)

Implementing a secure development and operations life cycle should be a no-brainer. But for some reason, some companies either haven’t received the memo or they choose to put their fingers in their ears and start humming. So, since we have your attention, let’s be clear: if you develop or publish software, then it’s imperative that you follow a secure software development life cycle.

Bad guys are always looking for ways to compromise systems and gain access to valuable information. By not securing your devops life cycle, you’re not only leaving your own systems at risk but also jeopardizing your customers’ systems and data. 

Williams emphasizes this point, showing that it’s the sum of all parts, and not just one-off independent elements, that makes for greater software supply chain security. He describes SolarWinds as being a wake-up call that highlights the importance of securing supply chains that extends beyond traditional cyber security methods.

We cannot fix this with an occasional vulnerability scan or penetration test. We must prevent adversaries from getting into the software factory via code, libraries, tools, and platforms.”

Prioritize Security Over Speed or Other Interests

This next truth is a bitter pill your company’s sales and finances execs may not want to swallow: the security of your software should take priority over the speed of its release and distribution. According to Williams:

Collaboration between developer teams and security teams is key here. But there has been friction in the past as developers are under pressure to work at speed, and security teams are under pressure to work securely. Unfortunately, these concepts don’t always align, and one is prioritized over the other – usually speed over security, hence why we see so many attacks targeting software supply chains.”

Digitally Sign Your Software Using a Code Signing Certificate

Code signing is a technique that enables you to attach a special signature of sorts to your code, containers, software and other executables. This cryptographically based method ensures the integrity of your software (i.e., so your customers know it hasn’t been tampered with since you signed it) and that helps customers know your software is authentic (i.e., that it was published by you and not an imposter).

Now, it’s no secret that we love code signing here at Hashed Out. After all, it’s a public key infrastructure (PKI) security technique that enables you to protect your software and assert your digital identity. (And, as you know if you’ve read our previous articles, we love digital identity!) Unfortunately, not all companies or developers opt to use them. This results in unsightly “unknown publisher” or “software not trusted” warning messages displaying to their users: 

Secure software supply chain graphic: Two side-by-side screenshots of the User Access Control messages that display for unsigned (left) and signed (right) software
Image caption: A set of screenshots that shows the differences in messages that display for digitally signed software (right) and software lacking a digital signature (left).

5. Manage Access to Your Systems and Servers

Ah, yes, people. Human beings are, simultaneously, the greatest contributors and risks to the security of your supply chain and organization overall. All it takes is one moment of inattentiveness for an employee to fall for a phishing email that could compromise their credentials. (Yup, it happens to the best of us.)

Of course, securing access is a general cyber security best practice for all organizations. But when it comes to software supply chain security, it’s crucial to ensure that no one tampers with your software during the development process in particular.

Limit Who Has Access to What

Limiting how many people have access to privileged systems also limits the exposure risk of those systems when things go wrong. An attacker can only access the limited systems and data associated with that individual user’s profile. This is why access to your systems, data, and servers (especially your development and production servers) should be managed carefully and privileged access given sparingly.

Here’s a good rule of thumb to abide by: everyone doesn’t need access to everything. Only assign permissions and privileges to users whose roles and responsibilities require them. 

Use Secure Authentication Methods

It’s no secret that cybercriminals love passwords. Compromising passwords is a very lucrative practice for bad guys. People tend to use really crappy passwords that are easy to guess via brute force attacks, or they give them to attackers who trick them using phishing tactics. A good way to avoid password-related security issues (i.e., have strong password security) is to avoid using them altogether.

One of the things we love to highlight here at Hashed Out is the use of public key infrastructure. (PKI is the foundation of internet security as we know it.) When it comes to secure authentication, something that PKI offers is the ability to use cryptographically secure mechanisms (i.e., a client authentication certificate) to:

  • Log in to systems without having to use usernames and passwords that can become compromised (and leave your systems at risk), and
  • Verify it’s really your employee who’s trying to access a protected resource (i.e., not an unauthorized user or cybercriminal).

Another option is to use multi factor authentication (MFA) apps that allow you to authenticate without having to type in any passwords. For example, you might receive an app-based push message on your mobile device that prompts you to authenticate whenever you try to access a protected resource.

Secure software supply chain graphic: A screenshot of a login authentication prompt screen
Image caption: A screenshot of the verification message I received when I tried logging in to a service.

6. Scan and Monitor Your Digital Assets

Even if you’re doing everything right to keep your network, website, IT systems and other digital assets as secure as possible, attackers can exploit vulnerabilities to upload malware. The same can be said about your website. When customers then visit your website, instead of downloading your legitimate software or patches, they may find themselves installing malware instead that’s been uploaded to your site.

Part of this entails keeping your website’s plugins, themes, and codebases secure. Jeremy Clifford, CEO of RouterCtrl, has worked as a network specialist and engineer for more than 20 years. He says that GitHub is not just a way to maintain a code history, but it’s also a repository that can help you secure and protect your supply chain.

Clifford shares his insights regarding the importance of maintaining a secure codebase:

Keeping the codebase secure should be the number one priority of […] any tech company. Not only could nefarious code bring your site down, for example, but they could also insert code into your site that would collect and send personal data, turning your innocent site into an unwilling accomplice to a crime.

[…] require that all code merges require multiple peer reviews and that merges into the master or production branches can only be done by certain approved parties. This way you’ll get multiple sets of eyes on each code change to ensure that only the intended changes make it in.”

Know What Software and Devices You Have on Your Network

Having visibility is critical to network security. If you don’t know what connects to it (devices, applications, etc.), how can you keep it secure? This is the underlying concern of shadow IT for many organizations.

Having unknown and untracked assets on your network like jumping into a lake filled with alligators while wearing a blindfold: you’ll never know what direction an attack is going to come from, and there’s no way to defend yourself.

7. Patch and Update Your Systems Regularly

If your systems aren’t patched and secure, then it means there are vulnerabilities that bad guys can exploit to use as an access point to your network (and, ultimately, your development and production servers) Patches are kind of like life vests: getting one won’t do you any good if you don’t bother wearing it when you go boating.

Let’s take Microsoft’s Patch Tuesday updates as an example. Almost every Tuesday, Microsoft rolls out updates for different products to help organizations and users mitigate the latest vulnerabilities. Back in 2017, Microsoft rolled out an update of their legacy Windows operating systems to mitigate security issues relating to vulnerability within their systems that resulted in an exploit known as Eternal Blue. However, many companies globally failed to apply the update within a reasonable amount of time.

The result? A global ransomware attack that resulted in catastrophic damages for governments and private sector entities in more than 150 countries. For example, the United Kingdom’s National Health Service (NHS) found its operations screeching to a halt. Thousands of surgeries and appointments were canceled and, in some cases, institutions had to divert emergency responders to other facilities. There’s also the issue of ransomware attacks causing fatalities by targeting critical infrastructure…

Eliminate Outdated Components and Software

Time isn’t kind in many aspects. As humans, we grow older and we start to feel like we’re falling apart.  The same happens with software and other technologies over time — they become less secure, particularly when their manufacturers stop maintaining them with new patches and updates.

Ashkenazi, who has a background in systems design engineering and architecture, says that a critical step that often gets overlooked is managing and rotating out old technologies. “Continually ask yourself if you’re using a timely cycle to age out some of the stuff that is old and probably (or definitely) less secure.” He points out that some suppliers stop supporting their software with updates and security patches. So, it’s important to examine your software supplier’s track record to see if they’re one of the ones that continue support or drop off after a few years.

8. Set Security Requirements With Third-Party Vendors

Do you know what your software vendors are doing to keep their software — and, by proxy, your organization — secure? If the answer is no, we’re not surprised.

The NCC Group’s research we mentioned at the beginning of the article shows that almost half of surveyed organizations (49%) neglect to set security standards with their service providers ahead of time. But what makes matters worse is that 34% also indicate that they don’t “regularly monitor and risk assess their suppliers’ cyber security arrangements,” either.

This is particularly concerning considering that third-party risks are frequently the result of contractors or service providers having access to sensitive systems and data. Think of the 2013 Target data breach when the network credentials of one of their third-party HVAC vendors were hacked, giving attackers access to Target’s systems.

Ilam Padmanabhan, solution delivery manager at Nets Group, has two decades of experience in the tech and financial services industries. Padmanabhan says it’s important to both stay abreast of what vendors are doing to keep their software secure and to keep them informed about any vulnerabilities they discover on their systems:

To ensure the security of their suppliers, [companies] should conduct regular security audits and require their suppliers to meet certain security standards. They should also establish communication protocols so that they can quickly notify their suppliers of any vulnerabilities that are discovered.”

Conduct Risk Assessments of Your IT Systems

Keeping an eye on your IT ecosystem entails more than just monitoring your network. It’s also about keeping tabs on everything that touches your network — applications, personal and company devices, IoT devices, etc. You need to know who has access to everything, including third party vendors and contractors. Part of this entails performing cyber security risk assessments that help you identify vulnerabilities and prioritize mitigation efforts.

If you’re not sure how to perform a cyber risk assessment, no worries. We’ve already got a resource ready to go for you. Of course, simply figuring out what risks there are and how to prioritize them isn’t enough. You also need to have plans in place for how to respond to them and for how to keep your business going…

9. Create Business Continuity, Incident Response and Disaster Recovery Plans

We get it — accidents happen and, sometimes, things go wrong. These types of scenarios span the gamut from natural disasters to man-made issues like cyber attacks. But if you’re smart, you’ll plan ahead for when things go wrong (because, inevitably, they will) so you’ll have plans in place for how to respond to bad situations.

A few examples of some of the plans you can create and implement include:

  • Business continuity (BC) plan — A BC plan provides guidance on keeping your business up and running while crap is hitting the fan. It’s easier said than done, but with the right plan and people in place, it can be enough to keep your business from failing in the interim.
  • Incident response (IR) plan — This document serves as your guide for what to do when you’re in the thick of things and feel like you’re facing down a dragon. The goal is to stop whatever’s happening from happening and to prevent further damage from occurring.
  • Disaster recovery (DR) plan — A DR is all about helping your business in the aftermath of whatever ungodly scenario your organization has just endured. This typically involves implementing data backups and trying to get your organization back to being fully functional.

10. Train Your Employees on General Cyber Security and More Specialized Practices

A key part of any cyber security strategy is providing educational training and resources to your staff and other network users. In general, everyone who touches any company device or has access to your network should be trained to increase their cyber awareness and to recognize threats. But the training doesn’t have to stop there; you also should provide more specialized, in-depth or technical training to increase the security of your privileged users. This is something that you can offer in house or consider hiring a third party to handle for you.

Regardless of which approach you take, the important takeaway is to educate your employees. They’re your first line of defense in all aspects of cyber security, including the protection of your supply chain.

Train Your Organization’s Software and Technology Buyers

The same training concept applies to technology buyers, too. If you want to ensure that your company is using only the most secure software, educate your employees who are responsible for making those purchases. Provide them with guidelines and standards they can refer to when vetting prospective software creators and their products.

Meet the Experts

We offer a special thanks to all of the experts who shared their insights with me to write this article. They’re listed in alphabetical order by last name:

  • Asaf Ashkenazi, CEO at Verimatrix
  • Dan Chernov, chief technology officer at DerSecur.
  • Jeremy Clifford, CEO of RouterCtrl.
  • Brian Fox, CTO of Sonatype and an OpenSSF member.
  • Bradley Jackson, Director of Software Engineering at The SSL Store.
  • Steve Judd, senior solutions architect at JetStack, by Venafi.
  • Ilam Padmanabhan, solution delivery manager at Nets Group.
  • Jeff Williams, co-founder and chief technology officer at Contrast Security.

TL;DR: A Quick Overview of Supply Chain Security

Still reading? Awesome. We hope you’ve found these experts’ insights informative and useful. If you jumped to this section to save time, we’ve got a quick summary for you of why software supply chain security matters to software creators and buyers alike:

  • Strong and effective supply chain security comes from the top-down. Security isn’t a one-man-band kind of thing. It’s an initiative that should be led by your organization’s board and other leaders and should be owned by everyone.
  • Know what’s in your products (or the third-party products you use). As a provider, you need to review and approve every component that is included in your software. This helps you (and your products’ users) achieve greater IT environment visibility and security.
  • Carefully manage access and implement secure access methods. Only assign access to those who need it to do their jobs. Use authentication methods that offer the highest levels of security (like MFA and PKI-based authentication).
  • Keep your systems patched and free of vulnerabilities. This should be a no-brainer but it’s worth reminding everyone anyhow. Unpatched systems are vulnerable, and vulnerabilities are big, flashing neon signs that tell cybercriminals “I’m open to attack!”
  • Digitally sign your software to inform users your software is legit and unaltered. If you want your customers to know that your software is authentic and hasn’t been modified since you made it, a good way to ensure this is to digitally sign it. Attaching a digital signature uses cryptographic functions to assert your digital identity and offer assurance about the integrity of your software.

Alright, that’s it. We’ve kept you long enough and are sure you’ve got work to get back to now. Remember: your software is only as secure as you make it. Invest the time, resources, and efforts now to save yourself a lot of headaches — and money — in the future. Don’t allow yourself to sacrifice security for the sake of getting your products out faster.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.