The cybersecurity threat landscape has evolved rapidly, and one area that demands increased attention is software supply chain compromise. Looking back at Verizon’s 2024 Data Breach Investigations Report (DBIR), we can see a 68% year-over-year increase in breaches linked to supply chain interconnections. Not only is the uptick staggering, but 15% of breaches analyzed for the report were traced to third-party vulnerabilities, illustrating why it’s important for organizations to understand the interconnections, relationships between, and dependencies of software, systems, and data. These statistics are a stark reminder of the growing risks associated with third-party software and services. As if AppSec practitioners weren’t already concerned enough.
The 2024 DBIR — and plenty of subsequent studies — highlight critical trends in software and application breaches. Application vulnerabilities are a compelling target for attackers, with many reported incidents stemming from weaknesses in software development practices. But it’s not just the piece of software or the individual application that’s the problem, contrary to popular belief. The software supply chain encompasses myriad components — every line of code, every library used to build the software, plus the development environments, testing tools, people, access controls, and more — which is why the software development lifecycle (SDLC) is so tricky to manage and so attractive to cyber criminals.
When thinking about holistic cybersecurity, then, it’s that shift of focus from a single application or piece of software to the entire software supply chain (including development processes and tools) that must occur. Why? Because the entire software supply chain presents a significantly broader attack surface than a single app, and it’s complete with numerous, moving and complex parts, giving attackers greater opportunity while challenging defenders to invest the time and effort in full-lifecycle protection
Knowing all this, let’s look at the scope of the problem and, then, even more prudently, look at how you and your team can improve the resilience of your software supply chain.
Increased Interconnectivity Equals Higher Risk
Software supply chain breaches occur when cybercriminals exploit vulnerabilities in any part of the SDLC, knowing that a successful exploit will have far-reaching consequences beyond that of the initial target. The 2020 SolarWinds attack is one example of how attackers used a software update to compromise the initial organization, the results of which were passed down to its customers. The incident highlighted just how damaging it can be when an attacker finds one crack in an extensive and extended ecosystem.
Exploiting Software Vulnerabilities
Lingering vulnerabilities are another important element of the supply chain equation. Poor software patching practices or unmanaged zero-day vulnerabilities can have cascading effects across entire industries. To illustrate, the average lifetime of a vulnerability is 4 years, and the average lifespan of zero-day vulnerabilities is 6.9 years. You don’t have to be a software expert to understand the inherent risk of letting vulnerability patching lag.
Even when a software provider is technically the victim of these exploits, downstream entities bear the brunt of the damage, sometimes forcing security teams to deal with the fallout years following the incident. This is precisely why software quality control measures must improve and why rigorous patch management practices are paramount.
Escalating Threats of Ransomware and Extortion
Software vulnerabilities, once exploited, can lead to ransomware and extortion attacks. The DBIR describes how third-party supply chain issues directly drive these incidents, as attackers use vulnerabilities in software and development processes to infiltrate and lock down critical systems. Companies are then left with the difficult decision of negotiating with criminals (which is no guarantee of getting the data back) or facing operational shutdowns (when/if complete backups of systems and data aren’t available). Neither of these options is particularly attractive to businesses.
Targeting Malicious Software Libraries
The speed of software development and innovation has been accelerated through open-source libraries. In fact, it has been estimated that up to 90% of code is open-source. While this codebase reuse aids the development process, it increases the likelihood that one, tiny code flaw could cause widespread damage.
Over the years, researchers have noticed a rise in the use of malicious libraries and packages in development ecosystems, such as those found in repositories like npm. Attackers focus on inserting malicious content into these libraries, including malware designed to steal credentials or compromise applications after installation, because it gives them the biggest bang for their breach buck.
API Exploitation: A Growing Attack Vector
API exploitation is on the rise, and these attacks are often part and parcel of supply chain attacks. The DBIR highlights that APIs are increasingly used as entry points for attackers, especially ones with weak or reused credentials. The more interconnected our systems are, the greater the risk. APIs are part of the ever-expanding attack surface, and threat actors have taken note while defenders continue to chase the attackers.
Access Controls are No Exception
Without access, no compromise can occur — software-related or otherwise. It’s no surprise, then, that attackers use malware to steal credentials stored or cached in compromised software environments. In some cases, organizations make it easy for adversaries by storing credentials unencrypted, allowing shared passwords and secrets, and over-provisioning privilege escalation. Locking down access controls, insisting on multi-factor authentication (MFA), and applying zero-trust principles to identity and access management are the best ways to shut entry points before attackers waltz through.
Recommendations
Now that we know the problems contributing to software supply chain insecurity, here are the top recommendations for ensuring that your software supply chain is more resilient.
Implement Rigorous Software Vulnerability Management
Organizations must establish a robust vulnerability management program that includes continuous monitoring and rapid response to newly discovered vulnerabilities. Over the years, we’ve been shown time and time again that poor patching practices lead to devastating breaches. It’s critically important to identify the most business-impacting vulnerabilities and regularly update/patch software components. Especially when it comes to open-source libraries, AppSec teams must focus on minimizing the risk of exploitation.
Automated tools with proven ability to prioritize high-risk vulnerabilities are mandatory, as no security team can expect to manually cull through the hundreds of thousands of alerts produced every day. Incorporating reachability, exploitability, and applicability analyses into vulnerability assessments will remove irrelevant alerts from the process and demonstrably drive down risk.
Incorporate Automated Workflows
Automating security actions can greatly enhance efficiency and reduce human error that can occur when managing the vastness of the software supply chain. By incorporating automated workflows, organizations can streamline vulnerability assessments, remediation processes, and compliance checks across their development and deployment environments. Automation allows AppSec teams and development professionals to focus on higher-priority issues by allowing technology to consistently execute routine tasks. Further, automation for rote tasks assures accuracy, thereby improving overall security posture while ensuring timely software delivery.
Adopt Application Security Posture Management (ASPM) Tools
Implementing Application Security Posture Management (ASPM) tools significantly enhances an organization’s ability to manage and secure its software supply chain. ASPM provides continuous visibility into application security across the software development lifecycle, allowing DevOps and AppSec teams to identify vulnerabilities and risks early in the development process, and prevent issues from reaching production where they can become trickier to fix and costlier to remediate.
ASPM should seamlessly connect to existing development pipelines and CI/CD tools, giving organizations the ability to continuously assess the security posture of their applications (including third-party components, dependencies, and environmental aspects). By embedding security checks and balances directly into the development process, ASPM provides both a stronger security posture and the freedom developers need to deploy feature-rich applications.
Conclusion
As businesses navigate the complexities of the evolving software supply chain landscape, it’s clear that software supply chain security must be prioritized. The increasing interconnectivity of software and systems presents a broad attack surface that cybercriminals are eager to exploit. The lessons learned from high-profile incidents like the SolarWinds breach serve as reminders of the potential repercussions when vulnerabilities are left unaddressed.
By prioritizing software resilience, AppSec teams can better mitigate risks throughout the SDLC and safeguard their operations more simply. Embracing proactive security measures, including ASPM, will not only protect individual organizations but will also strengthen the entire supply chain.
Try OX for free!
