The software supply chain includes:
Data distribution services (DDS)
DDS is a machine-to-machine technology used for publish-subscribe middleware applications in real-time and embedded systems. Maintained by the Object Management Group (OMG), DDS plays a critical role in implementing reliable communication layers between sensors, controllers, and actuators. It is located at the beginning of the chain, making it easy to lose sight of, and therefore, an attractive target for malicious actors.
In January 2022, Trend Micro Research, TXOne Networks, and Trend Micro™ Zero Day Intitiative™ (ZDI) in collaboration with ADLINK Labs and Alias Robotics published an entry that included information on 13 new vulnerabilities for the six most common types of DDS implementations. They found that these new bugs could affect more than just DDS itself.
DDS vulnerabilities can be divided into those affecting the network layer or configuration level. The former can be exploited to implement malicious techniques like denial-of-service (DOS) attacks, spoofing, and automated collection. Configuration-level vulnerabilities can be used to target DDS system developers and integrators.
Open source components
Developers often copy open source code from shared public libraries like Github to get everyday components. Why waste valuable time writing code to take a message from one field to another when someone else has already done it? The ease of use is why 90% of modern applications leverage open source code.
However, many organizations lack insight into open source dependencies. The unchecked nature of open source code can lead to crippling attacks like Apache Log4j, a widely used open source software. Cybercriminals exploited a critical flaw in the Log4j logging framework and inserted malicious code to compromise vulnerable systems. It is estimated that Log4j impacted upwards of three billion medical devices that used Java, according to the FDA.
System management tools
Version control systems manage the actual release and deployment processes. Once in production, third-party and open-source production environments host the application. While the system is running, automated operations tools handle the routine business of maintaining service levels, starting and stopping scheduled activities, and synchronizing updates. A suite of systems management tools makes sure that production runs smoothly and resources are optimized.
Kaseya VSA, a popular tech management software, was hit with a REvil ransomware attack in early 2021. The attackers exploited a vulnerability in the update mechanism, enabling them to distribute a malicious payload through the hosts managed by the software. The damage from the widespread attack extended well beyond the virtual world, with a Swedish supermarket chain Coop forced to close 800 stores for almost a week.
Developers also use purchased software products for things like updating a database, templating a web page, testing, and so on. These software products can be exploited by security vulnerabilities, such as Ripple20, a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.
The impact of Ripple 20 was magnified by the supply chain; demonstrating how a single vulnerable component can ripple outward to affect a wide range of industries, applications, and companies including Fortune 500 multinational corporations. JSOF reported that the dissemination of the software library led to hundreds of millions of devices being impacted.
How to improve software supply chain security
Evidently, the software supply chain can be exploited at multiple points, which makes securing it increasingly complex. To help organizations reduce supply chain security risk, CISA recommends six key steps:
- Identify: Determine who needs to be involved
- Manage: Develop your supply chain security policies and procedures based on industry standards and best practices, such as those published by NIST
- Assess: Understand your hardware, software, and services that you procure
- Know: Map your supply chain to better understand what component you procure
- Verify: Determine how your organization will assess the security culture of suppliers
- Evaluate: Establish timeframes and systems for checking supply chain practices against guidelines
Furthermore, consider adding a software asset management tool to get a handle on what’s installed and can automate processes to manage and generate software bill of materials (SBOM).
Lastly, a vendor with a unified cybersecurity platform that supports broad third-party integrations, ensuring total oversight from a single dashboard across the software supply chain. Security capabilities such as software composition analysis (SCA), automation, continuous monitoring, and deep data collection and correlation are also vital to enabling faster detection, response, and remediation of affected supply chain components.
For more information on cyber risk management and mitigation, check out the following resources: