In this blog post, we’ll discuss the four types of software supply chain threats businesses face. Use these 8 best practices in cyber supply chain risk management to help keep your business secure and avoid vulnerabilities.
The Four Types Of Threats Your Software Supply Chain Faces
There are many various supply chain cyber risks software-based businesses face today that can be categorized into four primary types: 1) cyber threats, 2) compliance, 3) financial impact, and 4) reputational. For each of these, we will provide preventative best practices later in the article, but for now, let’s dive into each supply chain threat and examine them more closely.
1 Cyber Threats
Most cybersecurity professionals would agree that cyber security supply chain breaches are a question of “when” and not “if” they will occur. Breaches can come from multiple vectors due to a wide variety of vulnerabilities in the software supply chain especially if best practices in supply chain risk management are not followed. Moreover, once threat actors are in, they very often move laterally throughout an organization. We have seen this happen in three highly publicized software supply chain cyber-attacks – SolarWinds, Log4J, and Codecov.
SolarWinds attackers inserted malicious code (SUNSPOT) using temporary file replacement techniques to attack software supply chain pipelines and development tools compromising the CI/CD infrastructure.
Log4J, the zero-day software supply chain vulnerability, allowed attackers to leverage remote code execution using logging dependencies, again compromising the CI/CD infrastructure.
Codecov showed that attackers could modify source code to infect, tamper, and reveal customer secrets using modified scripts leveraging compromised artifacts.
For a deeper dive into these three underlying risks, check out The 3 Riskiest Software Supply Chain Attack Patterns Common Across Frameworks. It’s also worth mentioning that there are many more software supply chain attacks than the three listed here. Legit Security is actively contributing to the open-source community, which is core to our mission to help protect software supply chains from attack.
2 Compliance
With the implementation of FedRAMP, President Joe Biden’s Executive Order 14028, NIST’s recently revised security guidance, along with many other emerging regulations proves that software supply chain security compliance is another major issue that must be addressed. Software security risks can present themselves in unexpected ways, so teams must remain aware of potential third-party vulnerabilities.
Compliance with security protocols and legal regulations like FedRAMP and SOC2 is not just mandatory for your internal organization – it very often also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.
Supplier non-compliance can lead to violations that you can also be implicated in, and a breach of compliance or violation can lead to penalties or fines for all parties, depending on the context of the violation. Maintaining a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management.
3 Financial Impact
Cyber threats to your supply chain do not just present a potential financial loss to your organization but can also deal a financial blow to your customers. Security vulnerabilities don’t just present operational and business disruption risks, they can also have long-lasting financial impacts on your business. This financial risk can vary greatly and range from small operational costs and inefficiencies to financial ruin for businesses.
Financial risks can manifest as real consequences in a couple of ways. Cyber-attacks can result in a longer-term business continuity crisis that prevents you from servicing your direct customers. Long term business disruptions can also greatly affect your suppliers and contractors, leading them to seek business elsewhere, go bankrupt, or otherwise leave you high and dry. Suppliers and contractors can also encounter their own software supply chain issues which can hamper your ability to continue to operate properly. Because of these potential scenarios, potential cyber threats to your supply chain should be consistently assessed and properly addressed and managed.
Adhering to cyber security best practices to manage supply chain vulnerabilities is an important responsibility that protects you and your customers and allows your business to deliver the most value and avoid potentially catastrophic scenarios. Software supply chain security risk management techniques can be used to minimize the negative financial impacts to your business. Organizations that follow software supply chain best security practices and leverage advice for securing their code and data for business continuity are more adept at mitigating direct and indirect financial impacts.
4 Reputational
Reputational threats are the most unpredictable type of risk posed to your business in terms of supply chain cyber security, in part because the concept of brand or reputation is ephemeral and more difficult to control and measure. Additionally, reputations can also become intertwined with other entities, such as when an organization chooses to work with suppliers that are themselves vulnerable to third-party software security risks. In this regard, damage to your suppliers’ reputation can convey the same reputational damage to your organization. Because reputation can be a nebulous component of your business to manage, it is that much more important to be extremely cautious when considering who you work with and how you manage a third-party presence in the software supply chain.
SolarWinds and Codecov are useful examples of reputational risk, where a vendor or supplier was compromised resulting in widespread downstream damage and corresponding reputational risk to their customers. Ultimately, your reputation relies on a few factors:
Your actions
Your track record
Your suppliers’ reputations
Suppliers’ reputations are critical to evaluate when initially onboarding providers and considering new suppliers. Considering reputation in your evaluation of a new vendor can help you mitigate potential software supply chain threats and bolster your broader cyber security strategy. Keep in mind that vendor/supplier software is not just the proprietary code the vendors create, but also the assortment of open-source tools and libraries they use when developing the software. With the widespread use of open-source tools and libraries, there are various weak spots in the SDLC that the open-source community hasn’t addressed yet, which means your suppliers need to enact their own adequate security controls for their usage.
8 Best Practices In Cyber Supply Chain Risk Management To Keep Your Business Safe
In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using their framework for cyber supply chain risk management or C-SCRM.
The 8 NIST supply chain best practices are:
Deploy Organization-Wide C-SCRM
Create a Formal C-SCRM Program
Monitor Your Critical Components & Suppliers
Get to Know Your Supply Chain
Focus on Collaboration with Key Suppliers
Make Suppliers Part of Resilience & Improvement Initiatives
Continually Assess/Monitor Supplier Relationships
Anticipate and Respond to Interruptions
Let’s dive into each best practice to manage the four major supply chain threats – Cyber Threats, Compliance, Financial Impact, and Reputational Risk.
1 – Deploy Organization-Wide C-SCRM
The first step in supply chain risk management is to deploy a framework and plan for your organization. Cyber Supply Chain Risk Management or C-SCRM is a multidisciplinary approach to managing cyber threats to your software supply chain. Established in 2021, NIST supply chain best practices provide companies, government agencies, and other organizations with a means to manage growing supply chain risks and protect them from threats.
On large development teams, it is easy for individual efforts to get separated and siloed from the bigger picture, which only increases potential threats to the software supply chain. Deploying organization-wide C-SCRM is the first best practice on our list because it is an essential management framework that helps facilitate and encourages a more collaborative approach to the software or product development process.
2 – Create A Formal C-SCRM Program
A formal C-SCRM program helps establish governance and ensures accountability when identifying, assessing, and mitigating risks to the software supply chain. Creating a robust program should establish governance policies along with processes and procedures. Creating and implementing these practices will increase visibility into software and product development, allowing for more transparency between teams while also strengthening risk management in your software supply chain.
Key elements to be included in a C-SCRM program include who is responsible for enforcing governance, which tools are permissible, the policies or procedures applied to the development lifecycle, and the internal processes for managing potential risk. Transparency and visibility in all phases of the development lifecycle reinforce best practices in software supply chain security and allows teams to mitigate software supply chain threats before they can harm the business. Organizations should approach the deployment of a C-SCRM program with a zero-trust mindset, anticipating and assuming that the code and application development process cannot be trusted by default and instead assuming it has already been breached.
3 – Monitor Your Critical Components & Suppliers
Oversight of your supply chain cyber threats through proper, ongoing, monitoring of critical components and suppliers helps secure the entire supply chain. As development teams grow larger and expectations set by the business increase accordingly, threats to the software supply chain increase as well. Continuous monitoring is often critical for mission-imperative functions, since if a breach or breakdown were to occur it would severely disrupt operations.
The identification of assets, systems, processes, suppliers, and data is critical in order to smoothly function 24x7x365. This will help your consistent understanding of third-party software security risks as well as any other risk to your software supply chain. Software supply chain critical management assets such as these should be monitored:
CI/CD pipelines
Repositories and their connections
Developer access to systems
Policies and compliance adherence (and violations)
Tool configuration and integrations
Automated SDLC inventory discovery; risk protection and remediation; and continuous scoring and compliance monitoring are all important features that software supply chain security companies like Legit Security have built into their platforms. Using platforms like these can help organizations monitor their critical components and suppliers as recommended by NIST for third-party risk management.
4 – Get To Know Your Supply Chain
Visibility into your software supply chain is crucial – especially the visibility and analysis of dependencies within your software supply chain. Threat actors leverage dependency vulnerabilities to gain access to the entire pipeline and compromise the integrity of the application or code. Dependencies and suppliers play a critical role in development, so it is important to understand who they are and their security posture to safeguard your own mission-critical components to increase the strength of your software supply chain risk management.
Organizations can manage software supply chain dependency vulnerabilities by:
Only working with reputable suppliers that have best practices in place to help manage risks
Requiring suppliers to include accurate defect rate tracking
Requiring suppliers to include root cause analysis methodology
Should a supplier encounter a breach, the impact on your business could be substantial, but the need for third party expertise in certain areas can be inevitable for large organizations… Therefore, whenever possible, have backup suppliers available to help minimize disruptions to your operations.
5 – Focus On Collaboration With Key Suppliers
Collaboration with suppliers is key and should be prioritized by organizations focused on software supply chain risk management. Forming a collaborative relationship with key suppliers can facilitate communication and information sharing by creating shared ecosystems.
Any opportunities to increase visibility between your team and third-party suppliers should be utilized to manage supply chain risk and protect your business while still getting the benefits of working with your vendors. While collaboration may not always be easy, having shared resources with those key suppliers may be the difference between catching a vulnerability early and before it becomes a problem, or finding out too late where significant damage has already been done.
People, process, and technology are at the heart of effective management and can enhance supply chain performance with proper communication, making it more secure and efficient. These efforts help your team adhere to best practices in supply chain security which strengthens your cyber security risk management. Effective collaboration can not only illuminate issues but highlight visibility gaps that help combat cyber threats to your supply chain.
6 – Make Suppliers Part Of Resilience & Improvement Initiatives
Organizations face cyber threats not just from their internal suppliers and collaborators. A broad range of external cybercriminals increasingly target businesses through their supply chain as an easier way to find weak points (e.g., SolarWinds, Kaseya, and Codecov). Supply chain vulnerabilities have become better known among cybercriminals as potential targets, and organizations must respond accordingly to reduce and eliminate these risks. To help combat threats, regulations such as FedRAMP and NIST, now specifically include new software supply chain security requirements to address these weak points.
Businesses of all sizes can have a security incident, which is why resiliency planning is an essential component to maintaining a healthy security posture and reducing your supply chain vulnerabilities. Including critical suppliers in your organization’s incident response or disaster recovery plan helps enhance resilience against broader industry ecosystem risks. Additionally, testing resiliency plans with critical suppliers and key stakeholders is essential to become better prepared when a real-life threat arises.
7 – Continually Assess/Monitor Supplier Relationships
Initial assessments of your suppliers and supply chain are only accurate for a brief period. Over time, these snapshots become obsolete as the software supply chain environment evolves and if you aren’t consistently evaluating your suppliers and supply chain for potential threats and vulnerabilities, your entire organization can potentially be at risk. Organizations should seek automated solutions to continuously identify risks and vulnerabilities in their supply chain as they are continuously changing and evolving.
Monitoring supplier relationships is an essential part of establishing a successful and ongoing supplier program. Organizations can minimize third-party software security risks with just a few monitoring best practices including:
Looking for or identifying any changes in supplier status
Validating that suppliers are meeting all legally binding requirements
Regularly re-evaluating supplier adherence to supply chain security best practices
Mitigating the potential risks identified
Instituting action plans to remediate those risks (as needed)
Implementing these best practices will increase efficiencies and reduce risk within your vendor relationships, and will further protect your software supply chain from risk.
8 – Anticipating And Responding To Interruptions
While no one can predict when an incident will occur, planning for unexpected interruptions is a must for all businesses in today’s cyber environment. Just a few examples of interruptions that businesses commonly face include ceased support for obsolete software, a change of supplier due to acquisition, and downstream supplier changes affecting your own supply chain production.
Cyber security supply chain threats are pervasive and ever-growing. Adhering to software supply chain security best practices is the best way to protect your team from third party risk as well as potential threats from cyber criminals. Effective supply chain risk management requires taking a proactive approach and establishing preventative action plans to respond to interruptions and prevent severe or critical business failures.
Take A Proactive Approach To Cyber Supply Chain Security To Keep Your Business Safe
Taking a proactive approach allows every business to mitigate the four main types of cyber threats to software supply chains. Using these NIST supply chain best practices, organizations can help mitigate continued risk in an ever-growing threat landscape. All organizations have some form of supply chain vulnerabilities that need to be recognized early and often so that teams can address them before they cause business critical issues.
What we have learned from recent incidents like SolarWinds, Log4J, and Codecov is that software supply chain attacks are pervasive and will continue to grow with increasing complexity, exacerbating the need for more robust and automated solutions that analyzes the entire CI/CD or software supply chain for risks and vulnerabilities.
Blog By : Priyanka Rana
Credit Source : Google