Securing the Supply Chain – Maintaining Software and Data Integrity
- Securing the Supply Chain is Hard, But Don’t Give Up! - October 14, 2022
There’s no denying it anymore – the implications of an insecure software supply chain are massive. Breaches associated with the software supply chain have risen 297% [1], a clear indication that it’s a major target of today’s hackers. It seems like the Equifax data breach stemming from the use of a vulnerable 3rd party library was eons ago [2].
Since then:
- SolarWinds’ software update mechanism was breached to deliver malware to major private and federal institutions [3].
- Minecraft, along with millions of other Java apps, were affected by Log4Shell, an attack exploiting the use of a vulnerable 3rd party library [4].
- VMWare’s Spring Core Java framework suffered from a vulnerability dubbed Spring4Shell that affected 70% of all Java applications [5].
- Amazon Web Services, along with many other Fortune 500 companies and developers around the world, had their development come to a halt because of “protestware” introduced within 3rd party components [6][7].
- … and, why the heck not, Comcast TV remotes were able to be turned into spying devices as a result of insecure firmware updates [8].
With a massive influx of malicious 3rd party components (both proprietary and open source), the adoption of advanced and complex build infrastructures, and the pressure to release faster than ever before, the vulnerabilities just keep piling up.
Securing the software supply chain requires focus on an almost overwhelming number of disparate risks… and it is hard! Who wrote that piece of code? Where did that component come from? Is the thing we built in our CI/CD pipeline the same thing that was released to our customers? And how can our customers verify this before consumption?
Software Supply Chain Security
Software supply chain security is a discipline within application security emphasizing the authenticity and integrity of everyone and everything that goes into your software. While the topic is complex, we can make it easier by thinking in the context of the software development lifecycle; specifically, the development phase, where software is written; the build phase, where software is packaged; and the deployment phase, where software is released. This is exactly how we structured our recently released eLearning course, “Securing the Supply Chain: Maintaining Software and Data Integrity.” Thinking about supply chain security in this way leads to many interesting discussions and key takeaways, the summation of which we capture in the security control checklist at the end of our course.
Given all these breaches and the complexity of the topic itself, we need to make securing the supply chain a top priority! It is for this reason that we welcome you to join our upcoming webinar titled “Securing the Supply Chain Is Hard, but Don’t Give Up!” where guest presenter Eric Sheridan, Co-Founder and Managing Partner at Infrared Security, will provide insight into the following:
- What is the “Software Supply Chain”?
- Why must Software Supply Chain Security be taken seriously?
- How do we reduce the risk of us suffering from a supply chain breach?
Karen Scarfone, Principal at Scarfone Cybersecurity, will join us to answer questions and discuss the recent Office of Management and Budget Directive on Enhancing the Security of the Software Supply Chain and how this will impact companies that sell to the Federal Government.
To request a full course demo/quote, or to sign up for the webinar, please use the form on this page.
Resources
[1] https://www.csoonline.com/article/3667279/unauthorized-access-jumped-4x-in-2021.html
[2] https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
[7] https://threatpost.com/dev-sabotages-popular-npm-package-protest-russian-invasion/178972
