Supply-chain attacks have been exposed to the real world in a number of instances, including when Russian cybercriminals compromised SolarWinds to infect its downstream users, such as Kaseya’s MSP software, which was used to encrypt thousands of companies worldwide, and when malware infected npm modules were used to remotely execute commands. In May 2021, President Biden signed an executive order to update U.S. defences against future cyberattacks, following the SolarWinds supply-chain breach, which led to the compromise of several U.S. government agencies.
In October 2021, Microsoft published a report showing that the global I.T. supply chain was a favourite target for the Russian-backed Nobelium hacking group. According to the report, after hacking SolarWinds and breaching at least 14 managed service providers (MSPs) and cloud service providers, the group continued to target 140 victims since May 2021.
To strengthen supply-chain security NSA, CISA, and the Office of the Director of National Intelligence (ODNI) published a new report in which they share the three most important best practices applicable for all software publisher and vendors.
Prepare the organization with Policies & Procedures
The cybersecurity governance must be defined with policies and procedures. Those document establish the checks required to securely deliver the software to customers. The documentation must be accessible to anyone in the organization. It must be known by any person involved in the Software Development Life Cycle (SDLC).
It must include the notification of customer in case of vulnerabilities, the mitigation options and the End-of-life support. The objectives of a secure SDLC and software delivery system is to safeguard the software code, the provenance, the integrity and the resilience to compromise of the software supply chain. Industry Standards such as the NIST 800-218 (“Recommendations for Mitigating the Risk of Software Vulnerabilities”) helps to benchmark its maturity.
Secure Coding Best Practices are key to ensure that code is delivered to customer with all the security features and control mechanisms by design. This imply to hunt for any functionality that may allow unauthorized access, or information tampering. Security backdoor or hard-coded password or API key for example are a no-no.
Also, software suppliers must provide a mechanism to verify the software release integrity with digital signature. Signed software code enables the recipients to positively verify and trust that the software or the update has not been modified by an attacker.
Finally, the organization must have an archive system and strategy. They specify major and minor releases. This is very helpful in case of disaster recovery, urgent rollback or forensic investigation after a cyber attack or a contract litigation.
Producing well secure code an mitigation the risks by design are key objectives in delivering the software product. It allows the customer to prevent unauthorized access and information stealing.
Vulnerability Discovery and Disclosure
Software suppliers must deploy every effort to ensure that publicly known or easily identified vulnerability are not present in the product. The organization must regularly test the software with code audit or penetration testing. It helps to prevent pushing compromised software or updates to the customer.
Customer have strong interest in receiving vulnerability advisory and transparent communication about the security efforts of the suppliers. It helps building a transparent and trustful relationship. Failure to perform those activities may hindered the trust and directly impact the organization business performance.
Supply chain software vulnerabilities are a significant risk to organizations. In this series, we describe how to improve the security of production, distribution, and management processes for software supply chains. In order to mitigate the risk of a supply chain compromise, organizations should establish security best practices throughout the lifecycle. The organization’s role at different points in the supply chain determines the nature and extent of its responsibility.