Software Supply Chain Attacks

Software development today is all about developers collaborating with the Ops team to take code from an IDE or Git repository to a production environment in the quickest possible time. While deployment velocity is a key priority, security of the software supply chain is equally important to the organization. This is because a security lapse has the potential to cause huge monetary losses and tarnish the reputation of an organization beyond recovery. For attackers, today’s hyperconnected software supply chains are a goldmine of opportunities as a single breach can give attackers access to a vast number of other downstream systems. It’s no wonder that threat actors are increasingly using software supply chain attacks to compromise their targets.

In this article:

What is a software supply chain?

The software supply chain consists of any code, component, binaries components and tools that are involved in taking an application from development to production. It begins with a repository or package manager, any CI tooling, and build and packaging scripts that enable you to deploy and run the application. The supply chain usually involves phases like build automation, QA and testing, and deployment automation. To clarify, a supply chain does not include the phase after deployment, that would be the domain of application monitoring and management. 

Statistics about software supply chain attacks

The facts about software supply chain attacks are unanimous and alarming. Here are some key statistics:

  • Argon, an Aqua Security company, has found that software supply chain attacks grew by over 300% in 2021.
  • Gartner predicts that by 2025, 45% of organizations would have experienced a software supply chain attack.
  • The FBI has reported a 62% increase in ransomware attacks from 2020 to 2021.
  • A Cloudbees survey showed that 45% of enterprises have admitted that they’ve secured only half of their software supply chain.

These statistics tell us that software supply chain security will become even more important in the coming years as software supply chain attacks are on the rise.

Which are the biggest software supply chain attacks of recent times?

  1. SolarWinds attack

The SolarWinds attack is without a doubt the watershed moment that woke the technology world up to the perils of software supply chain attacks. SolarWinds is a leading Network Performance Monitoring (NPM) tool that is used by organizations of all sizes, including government institutions. 

The attackers had access to the SolarWinds supply chain for over a year before it was actually discovered. Every customer organization of SolarWinds was, in turn, compromised leading to a ripple effect that is so massive that it cannot be easily quantified. 

  1. Log4j Log4Shell vulnerability

Taking place a year after the SolarWinds attack, the Log4j attack is equally notorious and has had a massive footprint across companies globally. Log4j is the most widely used open source logging tool for Java applications. It is in use in organizations from silicon valley to Washington. 

The Log4Shell vulnerability had a similar ripple effect on all organizations using Log4j. After the attack came to light Log4j released patches. However, even these patches were found to be vulnerable. The entire situation is a hot mess for security teams and the nightmare is far from over.

  1. CodeCov attack

CodeCov is a leading code coverage solution that shows the testing coverage on any code base. In April 2021, the CodeCov Bash Uploader script was compromised and modified. The attacker leveraged the Docker image that was used in CodeCov’s supply chain to gain access. This led to all customers of CodeCov also being vulnerable to the attack as CodeCov is a tool that is embedded into their customers’ software supply chain. 

By now, you probably notice the pattern of supply chain attacks where one breach opens up innumerable other supply chains that are connected. 

  1. Dependency confusion attack

Package managers are a vital part of working with any programming language like Node.js or Python. Downloading packages from these platforms has risks as anyone can upload a package to them. In recent times, attackers have found a way to trick developers into downloading malicious packages by targeting misspellings of the most commonly downloaded packages. This type of attack is called dependency confusion. Since developers mostly type in package names in a command line interface, typos are common. 

A security researcher was able to use this method of ‘typo squatting’ to propagate infected packages to organizations like Apple and Microsoft. 

What are the most common types of software supply chain attacks?

CI/CD pipeline breach

Attackers are looking for ways to infiltrate the CI/CD pipeline used by organizations to deliver software. With the CI/CD pipeline being the central nervous system of the entire software development process, any change made here has ripple effects on production applications, and customer applications as well. 

Compromised software building tools

There are numerous tools that make up a modern software supply chain, and the list is only growing by the day. These tools range from open source software to commercial tools. These tools play different roles including creating builds, quality testing, and deploying code to production. It is important to secure these tools and ensure that they don’t become a vector for a threat actor to inject malicious code into the pipeline.. 

Misconfiguration in CI/CD tools 

As software practices are becoming modernized, configuration as code is a best practice. This involves codifying configuration of aspects such as infrastructure and policies that govern software processes. This configuration is stored in the form of YAML files. Often control over these configuration files are not properly secured, leaving attack vectors and vulnerabilities open to attackers. In the wrong hands, these configuration files can be badly misused.

Injection of malicious code

Once an attacker gains access to a supply chain, they look to establish persistence and escalate their privileges. Once this is achieved, they use the host system to run scripts and applications that serve their purposes. This may range from crypto mining to scripts that attempt to steal data from the host. These scripts are designed to go undetected by monitoring tools and camouflage as genuine.

Lack of visibility

With different people owning different parts of the supply chain, and silos existing between teams and tools, monitoring is a big challenge with software supply chains. Gather all the data from every step and consolidating it into a single place is a challenge, but it is necessary for security.

Manual processes are error-prone

Automation of processes is a key tenet of CI/CD. However, what happens in reality is that CI/CD is only semi-automatic with a lot of manual intervention every step of the way. Organizations that compromise on automation and settle for manual operations face vulnerabilities due to human error or bad actors within the organization. Even for organizations that manage to fully automate their supply chain processes, the risk is to establish controls and security checks. Without this, automation can be harmful as bad things can escalate quickly.

Numerous integrations make the supply chain complex

Integrations are required to create a seamless CI/CD pipeline using various best-of-breed third-party tools. They are also required to enable custom workflows involving third-party vendors and partners. These integrations are a breeding ground for vulnerabilities and are easy pickings for attackers.

Mishandling of secrets like passwords, and keys

Sensitive information comes in many forms like passwords, tokens, encryption keys, and hashes. This secret information cannot be hard-coded into the application, or stored in unencrypted files. They need to be handled by purpose-built secrets management tools. Yet, learning this new way of handling secrets is not a high priority for Devops teams, resulting in compromised security.

Lack of API security practices

APIs are the glue that hold cloud-native systems together. They are a gateway for third-party systems to access an organization’s services. If they are compromised, it’s easy to gain access to deeper parts of the system.

Vulnerabilities in open source code 

Log4j is the most recent and most well-known of the open source vulnerabilities. However, there have been many such instances of open source code being neglected by their maintainers. There is no funding for these projects, so it’s not surprising that they become orphaned after a while. The onus is on the company using these open source tools to ensure their security.

Vulnerable software that needs to be patched

IoT systems, and even many legacy software systems are not actively maintained, and their firmware or software becomes outdated. It is a challenge to keep checking for outdated software and removing them from your system, but it is required if you want an air-tight system end-to-end.

How can you mitigate the risk of a software supply chain attack?

Despite the challenges, you can mitigate security risks by following these practices to manage your software supply chain

Use checklists to control processes

Checklists are a simple and proven way to enforce security practices at scale. Each team, and each member on every team, needs to have their own checklist. The checklist would vary for each person and team, but checklists are a powerful tool to ensure security standards.

Reduce the attack surface

This age old security practice holds true today. Give the attacker little or no options to launch an attack. You do this by removing old and unused tools and components from your supply chain, keeping your application codebase small and lightweight, and reducing infrastructure components to only the ones in use currently. Remove unnecessary users, and restrict the rights of users to what they need for their tasks. All this adds up to bolster your system’s security posture.

Scan every step of the supply chain

Since every step is vulnerable to attack, code should be checked at every step of the process. This scanning should not be done manually by any person, rather, it is the job of a dedicated software scanning tool like Argon. The scans should run continuously, and report on any irregularities, vulnerabilities, and violations.

Ensure partner apps and integrations are secure

Partners and vendors should be expected to adhere to the same standard set for your organization. Integrations should be carefully vetted, and regularly updated to be free from vulnerabilities. Routine checks should be run on how partner apps access and use data from your organization.

Leverage security and penetration testing 

Playing devil’s advocate is necessary to ensure high levels of security. Encourage a culture where testers are encouraged to break things, and test the limits of the system. Incentivize ethical hackers to look for vulnerabilities, and even create bug bounty programs for valiant efforts. All this will ensure you stay a step ahead of attackers.

Ensure software is kept up-to-date

With the numerous software packages being used in a supply chain today, updating software could be a full-time job for security professionals and developers alike. Any help they can get to make this job easier will strengthen the security of the system. A solution like Argon can keep track of all software components and notify if any of them are outdated. 

Use dependency graphs

Dependency graphs are a way to visualize how your system components rely on each other. They are useful to trace the impact of an attack, and to take proactive measures to ensure every part of the system is up-to-date and compatible with other parts.

How can Aqua protect against software supply chain attacks?

Aqua software supply chain security solution scans every step of the CI/CD pipeline looking for vulnerabilities, and reports on any anomalies. With readymade integration for the top CI/CD tools like GitHub, GitLab, Jenkins, and more, Argon has you covered no matter which CI/CD tooling you use. Despite covering the supply chain end-to-end, Argon consolidates all this monitoring data in a single place and delivers alerts on them in real-time. This is a powerful and actionable way to fight security threats to your software supply chain. Leverage Argon and bring deep visibility and greater security to your software supply chain.