The SolarWinds and Colonial Pipeline security breaches are two (of many) incidents that have made supply chain attacks go mainstream. The primary challenge for businesses is that supply chain defence isn’t easy given the hundreds, if not thousands of entry points that need to be monitored along the way. But there are best practices that can help reduce the risk of supply chain attacks when coupled with a well-planned strategy for working with suppliers and vendors.
Taking the broad view of supply chains
A supply chain encompasses a broad range of relationships – it’s not just what we normally think of as getting physical goods or components from A to B. Every company has a supply chain even if it may not carry that label, because it includes all the partnership and business relationships a company might have. In fact, a supply chain can refer to any product (software or hardware) and services that are used to develop a company’s own product or service. It is important to ensure that a partner’s systems and those that have access to the network, are properly secured to reduce the risk of compromises and outages.
When we talk about software as part of the supply chain, that could mean a software development team working with third parties who submit code to a client’s system. It could also mean buying IT products or code from third party sources that are integrated into the code base.
Once companies understand the “big picture” of their supply chain, they can set targeted supply chain security goals: assure that every product coming in – software they buy and use, code that someone else has developed, or services used – is secure and following good security practices.
Whether organisations use code that’s been developed by internal teams or from external sources, it’s important to make sure the code management process is validated. It’s especially important when working with sources outside the enterprise to keep signing keys and certificates securely to ensure authenticity.
Here are three key questions that suppliers should be able to answer about managing source code and software products (spoiler: the answer to all three should be “yes”). Vetting these answers carefully will help ensure source code will not create a vulnerability once it’s deployed.
- Is there a source code management system (SCM) in place? A proper SCM will make sure code versions are properly managed and that every person who signs into the system is authenticated with the appropriate permissions. An SCM will timestamp code and log its movements so that it cannot be maliciously manipulated at any point without detection. The SCM must be well managed, to establish a chain of custody to create a sense of trust for the code.
- Are code commits and code properly signed? Signing should be used to protect all types of software modules and executables, including software drivers, applications, installation files, scripts and firmware modules in vehicles or industrial systems. Code signing and code commit signing should be a required capability of an SCM system. Once a system is in place, they should ensure that all developers are properly set up to sign their code commits. Here is a quick tutorial on how this works in Github.
- Is there a software “bill-of-materials” (SBOM) that identifies components and where they came from? In a time when developers are very busy and there is so much open-source code available, it is critical to know where your code is coming from. Not all open-source code is created equal and attackers have taken advantage of known vulnerabilities. If open-source code is being used, it should be disclosed. Identifying open-source components will allow companies to quickly address any vulnerabilities that may arise in the future, whether that is code they manage or from purchased software. Given that this is such a concern, in the US there are new government software development requirements focusing specifically on SBOM to reduce security risk.
Providing detailed answers to most of the questions above already gives organisations a head start on preparing to meet new secure software supply chain guidelines. Providing more visibility into what components are being used and how code is securely managed will improve overall security and increase the level of trust with users.
Phishing-resistant Multi Factor Authentication (MFA) and signing code commits are important security controls to improve organisation’s supply chain security posture and meet compliance needs. High profile security breaches and incidents like SolarWinds and the Colonial Pipeline hack were a wake-up call for the U.S. government last year. Subsequently, in May 2021 President Biden released an executive order mandating all U.S. government agencies to implement MFA within 180 days. Then, in September 2021 the U.S. government issued its Draft Zero Trust Strategy, which requires Federal agencies to only use MFA that is phishing resistant. Moves like these are setting a precedent for the world and ultimately highlight the significance of incorporating MFA technologies and Zero Trust strategies to prevent future attacks and protect the complex supply chains all organisations rely on to survive and thrive.
Alex Wilson, Director Solutions Engineering - Asia Pacific & Japan (APJ) at Yubico