Software has become crucial to every industry. Yet ensuring the software system you are buying or licensing is authentic and free from defect or malware is a challenge. The QA procedure in old-school manufacturing is to test a random set of newly delivered widgets for their compliance with approved specifications. But you can’t really take the same simple approach with software.
Vendors deliver – and update – software on an ongoing basis, making it difficult to know when to test. And because a software system may contain millions of lines of code, it’s hard to know how to test and exactly what to test for. Then there’s the significant question of how much control a supplier can truly exert on whom and what contributes to a product’s development.
Recent Threat History
This brings up the challenge of bad actors. Over the past few years, as organizations have continued to harden their defenses, some hackers have moved upstream and found ways to inject malware into products prior to their distribution to customers.
In 2015, software security company Kaspersky Lab discovered what it believed was a state-sponsored,
advanced attack on its own internal networks. While the intent of the hack seems to have been spying, it could have led to malware injection. That is precisely what happened the same year to an event log application used by enterprise Windows system administrators. In that case, Trojan malware led to a sophisticated supply chain operation, named “Kingslayer,” which
RSA Research reported on in 2017.
The potential impact of Kingslayer was extensive. According to RSA, organizations that had subscribed to the event log portal included: four major telecom providers; five major defense contractors; more than 10 western military organizations; and dozens of Fortune 500 companies, IT product manufacturers, government organizations, banks, financial organizations and higher education institutions.
Bad actors pressed ahead in 2017, which the
National Counterintelligence and Security Center recently called a watershed year in terms of awareness of software supply chain infiltration. Cases that made the news in 2017 include a backdoor attack on
CCleaner, a PC cleaning and optimization tool; a hit on the
PyPI (Python Package Index) repository; and an attack on a tax accounting app that sent
NotPetya ransomware to banks, airports and power companies in Ukraine, Russia and parts of Europe.
On the Radar, the Vetting Process
The attack on Python is especially significant. If a programming language itself can be corrupted, then the impact downstream could be tremendous. And while awareness is growing, it is not yet where it needs to be.
In interviews conducted earlier this year with 1,300 senior IT decision makers and security pros sponsored by CrowdStrike,
VansonBourne found six topics that outranked supply chain attacks, namely: general malware, phishing, password attacks, ransomware, advanced targeted attacks and denial of service. At the same time, supply chain is on the radar of these IT leaders, as 79 percent agreed with the statement: “I believe that software supply chain attacks have the potential to become one of the biggest cyber threats to organizations like mine within the next three years.”
So what’s a sourcing exec to do? As I wrote in this
ComputerWorld article on SaaS security, enterprise users can try and gauge a provider’s security profile and test their “good citizenship.” For instance, ensure that they follow relevant best practices, such as those promoted by the Open Web Application Security Project (OWASP) or the Web Application Security Forum Consortium.
But can you actually inspect a software company’s own sources? That’s hard to do, and not high on anyone’s agenda. The IT leaders interviewed by VansonBourne ranked “a supplier’s relationship with their suppliers” at the bottom of the vetting process. One alternative is to work with a trusted managed services provider.
Don’t Forget the Basics
Meanwhile, with software supply chain attacks costing an average $1.1 million per attack globally, according to VansonBourne, it makes a lot of sense to simply strengthen your overall cybersecurity posture. In a related article in the
NTT Security Global Threat Intelligence Center (GTIC) monthly report for August, Senior NTT Security Analyst Danika Blessman makes three basic recommendations:
- “Ensure your organization has a comprehensive, defense-in-depth security strategy in place as threats morph from one to another.
- Ensure you include your supply chain in your security strategy, holding your vendors to the same security standard you hold your own organization.
- Implement threat intelligence to help your organization understand and mitigate a variety of threats.”
As a sourcing expert, you’re no stranger to supply chain management. When adding software to the mix, pay special attention to Blessman’s second point, which is kind of a golden rule for IT security: Hold your vendors to the same standards you maintain yourself.