Chris Harris, EMEA technical associate vice president, data security at Thales shares how organisations can protect themselves against software supply chain attacks
An overwhelming majority (93%) of IT professionals believe security threats are increasing in volume or severity, according to our 2024 Data Threat Report. This marks a significant rise from the 47% recorded last year.
Software supply chain attacks – or ‘backdoor attacks’ – are just one example where the threat is increasing.
There have been many high-profile examples to hit the headlines - from an American retailer and software vendor all the way through to a multinational investment and financial services bank.
These attacks look to exploit third-party software vulnerabilities to access an organisation’s systems and data. A single breach can impact thousands of victims in a rapid domino effect once access has been successfully gained – proving to be incredibly lucrative for cybercriminals.
Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains.
With this in mind we’re going to look at just how these attacks work, and the steps risk managers need to take [to prevent them].
How are the hackers getting in?
Backdoor attacks are most commonly executed by hijacking software updates, with hackers typically targeting software with poor security.
In most cases, criminals sneak in behind legitimate processes to get unrestricted access to an organisation’s software ecosystem.
Examples include covertly inserting malware or manipulating unprotected code-signing keys.
How can organisations protect their data?
Fortunately, there are several preventive measures organisations can take, as recommended by the Cybersecurity and Infrastructure Security Agency (CISA).
These include the following best practice approaches:
1) Protect software releases with code signing
Most modern software is a compilation of code and packages from multiple sources. This may include open source and third party code, as well as multiple components developed by both internal and external teams.
Multiple security measures need to be integrated and automated during each build and release cycle of software as it is being developed.
Indeed, tampering can take place at any point during this process, and could involve inserting malware or third party code, manipulating the organisation’s proprietary source code, or even compromising the artifacts that are used to build the software.
Software releases can be protected by code signing. This framework uses digital certificates and the public key infrastructure (PKI) to sign program files, enabling users to identify the publisher of the file and verify that the file hasn’t been tampered with or accidentally modified by a third party.
2) Protect Private Keys
The most significant issue with code signing, is the protection of private keys associated with the code signing certificates. If the keys are compromised, the certificate and software can no longer be fully trusted.
Organisations should consider hardware-based solutions as defense mechanisms.
For example, both the National Institute of Standards and Technology (NIST) agency and the Certification Authority Browser Forum (C/AB) consortium recommend using hardened cryptographic hardware products to protect keys, such as Hardware Security Modules (HSMs) as a security best practice.
This will ultimately ensure the private code signing keys aren’t stolen or misused.
3) Proactively detect software vulnerabilities
To minimise any code signing process vulnerabilities, proactive threat detection is recommended in addition to employing robust defenses.
Software managers play a crucial role in ensuring the security and integrity of software. They do this by constantly monitoring and analysing the software to ensure it is not compromised by common threats such as malware, unauthorised software alterations, or security vulnerabilities.
Before the software is finalised with a code signature—a process that confirms the software is secure and has not been tampered with—managers verify that it is free from these known risks.
This vigilant approach helps maintain the software’s integrity throughout its development and before its release.
4) Reduce risk with SBOMs
Following several major software supply chain attacks, Executive Order 14028 was issued outlining the value of a Software Bill of Materials (SBOM) to improve cybersecurity.
A Software Bill of Materials is a list of components attached to the software. This is essentially an inventory that lists every piece of code that makes up the full software package, so you know what to trust and can more easily trace and eliminate vulnerabilities and malware.
Leveraging automated tools for scanning can minimise oversight risks, and can greatly benefit organisations seeking to apply protective and compliance measures more rapidly.
The final word
While the threat of software supply chain attacks is ever-present, there are several ways for organisations to defend themselves against these breaches and maintain software integrity.
Organisations need to be both on the defense and offense to effectively manage the risk - not only prioritising the robustness of their own software, but that of their suppliers, partners, and other stakeholders, too.
Chris Harris is EMEA technical associate vice president, data security at Thales
No comments yet