Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 

What Is Software Supply Chain Security?

Software supply chain security refers to the practices and technologies employed to protect the entire lifecycle of software development, from initial design through to deployment and maintenance. It involves securing all the components, including third-party libraries, tools, and the infrastructure used. The goal is to prevent attackers from infiltrating and compromising the software, ensuring the integrity and reliability of software products.

The complexity of modern software development, with dependencies on various open-source and third-party components, has increased the importance of supply chain security. By ensuring that every element in the development pipeline is secure, organizations can mitigate the risk of potential vulnerabilities being exploited by malicious actors. This involves continuous monitoring, stringent access controls, and secure coding practices.

This is part of a series of articles about application security.

Top 5 Risks Facing the Software Supply Chain

1. Malicious Code Injection

Malicious code injection occurs when an attacker inserts code into the software during any phase of its lifecycle. This can be through compromised dependencies, tools, or even direct infiltration of development environments. Once the code is inserted, it can execute unwanted actions that potentially compromise the security of the entire system.

Preventing code injection involves rigorous reviews and robust security practices such as automated vulnerability scanning and version-controlled repositories. Developers must be cautious about the sources of their third-party dependencies and ensure that only trusted code is incorporated into the final product.

2. Insecure Open Source Components

Open-source components are widely used in software development due to their flexibility and cost efficiency. However, the use of insecure open-source components poses significant risks as vulnerabilities in these components can lead to larger system breaches. Attackers often exploit outdated or poorly maintained open-source libraries to gain unauthorized access.

To mitigate risks, regular audits of open-source components using tools like software composition analysis (SCA) are essential. Developers should maintain an updated inventory of all open-source libraries in use and apply patches or updates promptly. Utilizing tools for automated dependency checks can also help in identifying and addressing vulnerabilities in a timely manner.

3. Hard-Coded Secrets in Repositories

Hard-coded secrets, such as API keys and passwords, embedded in code repositories can be an easy target. If these secrets are exposed, they can provide unauthorized access to sensitive systems and data.

Developers should avoid hard-coding secrets and instead use environment variables or preferably, secure secret management tools. Implementing automated systems to scan for and remove exposed secrets in code repositories can also help enhance the security posture.

4. Vulnerable or Malicious Third-Party Libraries

Third-party libraries are integral to modern software development but can be a source of vulnerabilities if not properly vetted. These dependencies might contain flaws, or worse, be deliberately designed to infiltrate systems once incorporated into the software.

To address this risk, it's crucial to evaluate and continuously monitor third-party libraries for known vulnerabilities. Utilizing tools that provide alerts for vulnerabilities in dependencies, conducting regular security reviews, and enforcing strict policies for third-party code can help prevent potential security breaches.

5. Compromised Development Environments

A compromised development environment can serve as a backdoor to introduce malicious code or access sensitive data. This could happen through unsecured networks, lack of proper access controls, or unpatched software used in development.

Securing the development environment involves implementing strong access controls, regular updating and patching of software, and using isolated environments for different stages of development. Employing secure coding practices and regular security training for developers can also help mitigate these risks.

Related content: Read our guide to web application security.

Examples of Software Supply Chain Attacks

Polyfill.js Supply Chain Attack

In early 2024, the Polyfill.io service experienced a supply chain attack that had significant implications for its users. Polyfill.io is a widely used service that provides JavaScript polyfills for web applications, enabling them to work across different browsers by emulating modern JavaScript features in older environments.

The attack involved an unauthorized modification of the service, resulting in the distribution of compromised JavaScript files to numerous websites. The attackers exploited a vulnerability in the build process of Polyfill.io, allowing them to inject code into the polyfills delivered to end-users. This code was capable of collecting sensitive information, such as cookies and user data, which could then be transmitted to the attackers' servers.

MoveIT Transfer Vulnerability

In June 2023, a critical vulnerability was discovered in the MoveIT Transfer software, widely used for secure file transfers within organizations. This vulnerability, designated CVE-2023-34362, allowed attackers to perform unauthenticated SQL injection, leading to unauthorized access to the application's database.

Once exploited, it enabled remote code execution (RCE): attackers could exfiltrate sensitive data, manipulate records, and potentially gain further access to the network. The MoveIT Transfer vulnerability posed significant risks, especially for operational technology (OT) infrastructure, where secure and reliable data transfers are crucial. Attackers could disrupt critical operations, steal proprietary information, and cause financial and reputational damage.

Codecov Bash Uploader Attack

In April 2021, it was discovered that attackers had compromised the Bash Uploader script of Codecov, a tool widely used by developers to upload code coverage reports to Codecov’s servers. The attackers modified the script to exfiltrate sensitive information, such as environment variables, credentials, and API tokens, from users' continuous integration (CI) environments. This breach persisted undetected for over two months, affecting thousands of organizations that used the compromised script.

The Codecov incident demonstrated the significant risks posed by third-party tools and the potential for attackers to leverage them to gain access to sensitive information. The breach emphasized the need for developers to verify the integrity of third-party scripts, employ strict access controls, and monitor for unauthorized changes. Additionally, organizations were reminded of the importance of safeguarding sensitive information in CI environments and implementing robust incident detection and response mechanisms.

Log4Shell

The Log4Shell vulnerability, publicly disclosed in December 2021, affected the Apache Log4j 2 library, a ubiquitous open-source logging framework used by countless applications and services. The vulnerability, identified as CVE-2021-44228, allowed attackers to perform remote code execution (RCE) by exploiting how Log4j processes log messages. By simply sending a specially crafted log message, an attacker could take control of a system, execute arbitrary code, and potentially spread malware or exfiltrate data.

The severity of Log4Shell was compounded by Log4j's extensive use across industries, from cloud services to enterprise software. The vulnerability's ease of exploitation and the potential for severe consequences prompted a massive, rapid response from organizations worldwide to identify, patch, and mitigate affected systems. The Log4Shell incident highlighted the importance of proactive vulnerability management, timely patching practices, and comprehensive inventory tracking of software components.

Kaseya VSA Attack

In July 2021, the IT management company Kaseya faced a devastating ransomware attack targeting its Virtual System Administrator (VSA) software. The attackers, associated with the REvil ransomware group, exploited a zero-day vulnerability in the VSA product to distribute ransomware to Kaseya's customers and their clients, many of whom were managed service providers (MSPs). This cascading effect resulted in ransomware being deployed across numerous organizations, causing widespread disruption.

The Kaseya VSA attack underscored the potential for significant impact when a widely used service provider's software is compromised. The attackers demanded a $70 million ransom, one of the largest ever. The incident emphasized the need for robust security measures, such as regular vulnerability assessments, rapid patching protocols, and comprehensive backup and recovery strategies to mitigate the damage from ransomware attacks.

Solarwinds Attack

In December 2020, the cybersecurity world was rocked by the revelation of the SolarWinds attack, a sophisticated supply chain breach that had widespread implications. The attackers, believed to be a state-sponsored group, infiltrated SolarWinds' software development environment and inserted malicious code into the Orion IT management software. This malware, known as SUNBURST, was distributed via legitimate software updates to approximately 18,000 customers, including several U.S. federal agencies and numerous private sector companies.

Once the infected updates were installed, the malware created a backdoor that allowed the attackers to conduct reconnaissance, escalate privileges, and exfiltrate data. The breadth of the attack was unprecedented, enabling unauthorized access to sensitive information and systems over several months. The SolarWinds incident underscored the criticality of vulnerabilities in supply chain security and prompted widespread calls for improved practices in software integrity verification, monitoring, and incident response.

CyCognito Report

2024 State of Web Application Security Testing

2024 State of Web Application Security Testing

Are you confident your web application security measures are keeping pace with evolving threats?

Discover how your web app security compares. Learn about average testing frequency, the prevalence of web application security incidents and breaches, and the increasing adoption of automation to improve testing efficiency.

 
Dima Potekhin

Tips from the Expert

Dima Potekhin
CTO and Co-Founder

Dima Potekhin, CTO and Co-Founder of CyCognito, is an expert in mass-scale data analysis and security. He is an autodidact who has been coding since the age of nine and holds four patents that include processes for large content delivery networks (CDNs) and internet-scale infrastructure.

In my experience, here are tips that can help you better secure the software supply chain:

  • Implement behavior analytics: Use behavior analytics tools where you can. These detect anomalies in user and system behaviors and can help identify potential breaches or compromised components early in the software supply chain.
  • Adopt a zero-trust architecture: Zero-trust principles ensure that every component and user is continuously authenticated and authorized. This reduces the risk of lateral movement by attackers.
  • Utilize secure enclaves: Employ secure enclaves or trusted execution environments (TEEs) to protect sensitive code and data during execution. This adds an extra layer of security against runtime attacks.
  • Monitor and audit software licenses: Regularly audit software licenses to ensure compliance and identify any potential legal or security risks associated with outdated or unauthorized software components.
  • Implement provenance tracking: Track the origin and integrity of all components used in the software development process. Use cryptographic techniques to verify the authenticity of each component.

Best Practices for Security Teams: Improving Software Supply Chain Security

Enforce the Principles of Least Privilege and MFA

Implementing the principle of least privilege (PoLP) is crucial for minimizing the potential attack surface within an organization. By ensuring that users, applications, and systems only have the minimum level of access necessary to perform their tasks, security teams can significantly reduce the risk of unauthorized access and limit the damage from potential security breaches.

Regular audits should be conducted to review access permissions, ensuring that any unused or excessive privileges are revoked. Privilege escalation should be closely monitored to prevent abuse.

Multi-factor authentication (MFA) adds an additional layer of security by requiring users to provide more than one form of verification before accessing critical systems. Even if credentials are compromised, MFA helps prevent unauthorized access by adding an extra hurdle for attackers. Security teams should implement MFA for all privileged accounts and sensitive operations to protect the software supply chain.

Use Automated Security Testing and Collaborate with DevOps Teams

Integrating security tools such as static application security testing (SAST) and dynamic application security testing (DAST) within the continuous integration/continuous delivery (CI/CD) pipeline helps to identify issues before they reach production. Automated tests should be run frequently to ensure vulnerabilities, misconfigurations, and insecure coding practices are detected and remediated as early as possible.

Collaboration between security and DevOps teams, often referred to as "DevSecOps," ensures that security is integrated throughout the software development lifecycle. Security teams should work closely with developers to promote secure coding practices and ensure that security testing is incorporated at each phase of development.

Utilize Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a list of all components within a software product, including open-source and third-party dependencies. Having an SBOM helps security teams track and manage the components used, simplifying the process of identifying and addressing vulnerabilities. This transparency is crucial for maintaining the security and integrity of the software supply chain.

Implementing SBOMs requires proper tooling and processes to maintain accurate and up-to-date records. Regulatory bodies and industry standards are increasingly emphasizing the importance of SBOMs, making it crucial for improving software supply chain security.

Evaluate Third-Party Software Vendors

Evaluating software vendors involves assessing their security practices, compliance with industry standards, and track record of handling vulnerabilities. This due diligence is crucial to ensure that the software procured from vendors does not introduce undue risk into the organization. Key factors to consider include the vendor's security certifications, history of timely patching, and transparency in their security processes.

Regularly reviewing and updating vendor assessments can help maintain a high security standard. Encouraging vendors to adopt secure development practices and holding them accountable for their security measures can significantly enhance the overall security posture of the supply chain.

Create an Incident Response Plan

Having an incident response plan (IRP) is essential for promptly addressing and mitigating security breaches. An IRP outlines the procedures for detecting, responding to, and recovering from incidents, minimizing the impact on operations. Regular drills and updates to the IRP ensure that the team is prepared to handle real-world security threats.

Integration of the IRP with automated incident detection and response tools can further enhance responsiveness. Collaboration between security teams and other stakeholders is vital for the successful execution of the IRP, ensuring a coordinated response to security incidents.

Automating Attack Surface Management with CyCognito

The CyCognito platform addresses today’s exposure management requirements by taking an automated multi-faceted approach in identifying and remediating critical issues based on their business impact, rather than focusing on the generic severity of the threat alone. To do this you need a platform that is continuously monitoring the attack surface for changes and provides intelligent prioritization that incorporates organizations context.

The CyCognito platform addresses today’s vulnerability management requirements by:

  • Maintaining a dynamic asset inventory with classification of the entire external attack surface, including exposed on-premise and cloud-hosted assets like web applications, IP addresses, domains and certificates, eliminating the need to rely on outdated or incomplete information from collaboration tools, spreadsheets, or emails. This approach significantly reduces the burden of tedious, error-prone and costly processes.
  • Actively testing all discovered assets to identify risk. Active testing, including dynamic application security testing, or DAST, uncovers complex issues and validates known issues, with low false positives. Each exploited asset is assigned a security grade based on its criticality to the business.
  • Prioritizing critical issues, guiding security teams to focus on the most urgent threats. Our unique risk-based prioritization analysis goes beyond the common vulnerability scoring system (CVSS), and incorporates factors like asset discoverability, asset attractiveness, exploitability, business impact and remediation complexity. Integrated tactical threat intelligence identifies the handful of attack vectors that pose the greatest risk.
  • Streamlining communications between remediation teams by providing comprehensive, verifiable evidence for each exploited asset. This evidence includes detailed risk assessments, asset ownership information, and actionable remediation guidance. The platform seamlessly integrates with SIEM, SOAR and ticketing system tools like Jira, ServiceNow and Splunk to facilitate information sharing and collaboration.

Learn more about the CyCognito Attack Surface Management Platform

CyCognito Report

2024 State of Web Application Security Testing

2024 State of Web Application Security Testing

Are you confident your web application security measures are keeping pace with evolving threats?

Discover how your web app security compares. Learn about average testing frequency, the prevalence of web application security incidents and breaches, and the increasing adoption of automation to improve testing efficiency.