A New Playground for Cybercrime: Why Supply Chain Security Must Cover Software Development

Most organisations see supply chains as providers of physical goods and services. The supply chain management function in these companies usually provides the governance framework to reduce third-party risks and prevent hackers from stealing data, disrupting daily operations and affecting business continuity. But there’s another crucial part of this ecosystem which some organisations may be overlooking: the software supply chain.

Software is the lifeblood of the modern enterprise, so it’s vital that IT security teams gain visibility and control of the code that flows through their organisation, before it becomes a major cyber risk.

Software is eating the world

It’s now eight years since Netscape co-founder and entrepreneur Marc Andreesen wrote the highly influential article Why Software is Eating the World. In the intervening time, digital transformation has, if anything, made application development even more important to business success. There aren’t many organisations on the planet today who aren’t using such capabilities to respond to ever-evolving customer demand for unfettered access to innovative services and products, across multiple devices.

Yet here’s where the problems start: to gain a competitive edge, developers will often use openly shared code and libraries to quickly embed functionality without having to re-invent the wheel. Unfortunately, security is too often an afterthought, with little or no consideration given to the potential threat of using these shared repositories.

Under the radar

The software supply chain therefore opens up a useful threat vector via which cyber-criminals can infiltrate organisations. These attacks are not actually a new phenomenon — in fact, they’ve been around for years. They usually involve compromise of the original software via malicious tampering of its source code, its update server, or in some cases, both. The intention is always the same: to get into the network or host of a targeted entity as quietly as possible.

Very rarely do organisations think about extending the secure supply chain framework to either in-house or external application software providers and developers. That leaves a potentially major gap in protection that the bad guys are primed to exploit.

The most common attack methods include the injection of malicious code into source code for native or interpreted/just-in-time compilation-based languages such as C/++, Java, and .NET. Earlier this year three malicious Python libraries were uploaded to the official Python Package Index (PyPI) containing a hidden backdoor which would activate when the libraries were installed on Linux systems.

The three packages — named libpeshnx, libpesh, and libari — were authored by the same user, and had been available for download from PyPI for almost 20 months before being discovered by security researchers from ReversingLabs.

Securing the software supply chain

The good news is that there are a few simple steps that can be taken to mitigate these risks and ensure clean software development and build environments.

Maintaining and cross-validating the integrity of source code and all compiler libraries and binaries are good starting points. The use of third-party libraries and code must be vetted and scanned for any malicious indicators prior to integration and deployment.

Proper network segmentation is also essential for separating critical assets in the build and distribution (update server) environments from the rest of the network. Also key is the enforcement of strict access controls, with multi-factor authentication (MFA) applied to any release build servers and endpoints. Of course, these steps do not excuse the developers themselves from the responsibility of continuously monitoring the security of their systems.

Teaming up for success

Trend Micro has had capabilities to secure containers for some time; via image scanning service Smart Check and runtime protection built into Deep Security. But we understand that teaming up with third-party security providers can also be useful for our customers. That’s why we recently announced a partnership with Snyk, a developer-first open source security vendor. This deal, over two years in the making, is the result of a technology-focused mutual respect between the two firms which will result in unrivaled end-to-end container security capabilities.

As part of the agreement, Trend Micro will identify vulnerabilities at build time with SmartCheck as well as providing shields in runtime via intrusion prevention (IPS) and network firewall capabilities. Meanwhile, Snyk will fix flaws at source through developer workflows, engagement, and automated remediation.

The result is that organisation’s software supply chains can be enhanced rather than hindered by security. Teams working flat out at secure continuous delivery will be able to provide a launchpad for digital success, rather than exposing the organisation to unnecessary extra cyber-related risk.

Read More HERE