Software Supply Chain Attacks

June 12, 2022

Software development today is all about DevOps teams taking code from an IDE or Git repository, testing it and deploying it to a production environment in the shortest possible time. While deployment velocity is a key priority, security of the software supply chain is equally important to the organization. 

Today’s hyper-connected software supply chains are a primary focus for attackers, because a single breach can give attackers access to a vast number of downstream systems. This makes supply chain security a top priority for security teams and development organizations everywhere.

In this article:

What Is a Software Supply Chain?

The software supply chain consists of any code, component, binaries components and tools that are involved in taking an application from development to production. It begins with a repository or package manager, any CI tooling, and build and packaging scripts that enable you to deploy and run the application. The supply chain usually involves phases like build automation, QA and testing, and deployment automation. To clarify, a supply chain does not include the phase after deployment, that would be the domain of application monitoring and management. 

Statistics about Software Supply Chain Attacks

The facts about software supply chain attacks are alarming. Here are some key statistics:

  • Argon, an Aqua Security company, has found that software supply chain attacks grew by over 300% in 2021.
  • Gartner predicts that by 2025, 45% of organizations would have experienced a software supply chain attack.
  • The FBI has reported a 62% increase in ransomware attacks from 2020 to 2021.
  • A Cloudbees survey showed that 45% of enterprises have admitted that they’ve secured only half of their software supply chain.

These statistics tell us that software supply chain security will become even more important in the coming years as software supply chain attacks are on the rise.

Recent Supply Chain Attacks

SolarWinds Attack

The SolarWinds attack is without a doubt the watershed moment that woke the technology world up to the perils of software supply chain attacks. SolarWinds is a leading Network Performance Monitoring (NPM) tool that is used by organizations of all sizes, including government institutions. 

The attackers had access to the SolarWinds supply chain for over a year before it was actually discovered. Every customer organization of SolarWinds was, in turn, compromised leading to a ripple effect that is so massive that it cannot be easily quantified. 

Mercedes-Benz Source Code Leak

Taking place a year after, in May 2020, an attacker was able to register an account on a code-hosting portal and then downloaded 580 Git repositories through Gitlab containing the source code of onboard logic units (OLUs) installed in Mercedes vans. The hack was due to a lack of account authorization processes.  

The source code leak was allowed due to exposed passwords and API tokens of Daimler’s internal systems to make matters worse. Bad actors could use passwords and keys to execute future intrusions against Mercedes-Benz cloud and internal network.

CodeCov Attack

CodeCov is a leading code coverage solution that shows the testing coverage on any code base. In April 2021, the CodeCov Bash Uploader script was compromised and modified. The attacker leveraged the Docker image that was used in CodeCov’s supply chain to gain access. This led to all customers of CodeCov also being vulnerable to the attack as CodeCov is a tool that is embedded into their customers’ software supply chain. 

By now, you probably notice the pattern of supply chain attacks where one breach opens up innumerable other supply chains that are connected. 

The following image shows a full list of major supply chain attacks, published by the US National Counterintelligence and Security Center (NCSC).

supply chain attacks
Source: NCSC

Types of Software Supply Chain Attacks

CI/CD Pipeline Breach

Attackers are looking for ways to infiltrate the CI/CD pipeline used by organizations to deliver software. With the CI/CD pipeline being the central nervous system of the entire software development process, any change made here has ripple effects on production applications, and customer applications as well. 

CI/CD Tool Misconfigurations

As software practices are becoming modernized, configuration as code is a best practice. This involves codifying configuration of aspects such as infrastructure and policies that govern software processes. This configuration is stored in the form of YAML files. Often control over these configuration files are not properly secured, leaving attack vectors and vulnerabilities open to attackers. In the wrong hands, these configuration files can be badly misused.

Compromised Software Building Tools

There are numerous tools that make up a modern software supply chain, and the list is only growing by the day. These tools range from open source software to commercial tools. These tools play different roles including creating builds, quality testing, and deploying code to production. It is important to secure these tools and ensure that they don’t become a vector for a threat actor to inject malicious code into the pipeline.

Dependency Confusion Attack

Package managers are a vital part of working with any programming language like Node.js or Python. Downloading packages from these platforms has risks as anyone can upload a package to them. In recent times, attackers have found a way to trick developers into downloading malicious packages by targeting misspellings of the most commonly downloaded packages. This type of attack is called dependency confusion. Since developers mostly type in package names in a command line interface, typos are common. 

A security researcher was able to use this method of ‘typo squatting’ to propagate infected packages to organizations like Apple and Microsoft. 

Source Code Threats

Insecure code and compromised source control systems are among the most common source code threats. Human error and lack of secure coding practices can introduce vulnerabilities to the source code. Additionally, insecure development workstations can introduce insecure or malicious code. 

You can mitigate insecure code threats by implementing policies in developer workstations, scanning code and APIs regularly during and after development, and establishing secure code practices. However, you should also ensure that developers cannot push insecure or malicious code into source repositories by including human reviews for source code changes.

Your code and source repositories can remain secure only if your source control system does not become compromised. Ensure security by restricting access to this system and other systems in the build pipeline. You can use multi-factor authentication (MFA) to secure system access and regularly evaluate your source integration, including configurations and scripts. 

Protecting Against Supply Chain Attack

Despite the challenges, you can mitigate security risks by following these practices to manage your software supply chain

Use Checklists to Control Processes

Checklists are a simple and proven way to enforce security practices at scale. Each team, and each member on every team, needs to have their own checklist. The checklist would vary for each person and team, but checklists are a powerful tool to ensure security standards.

Reduce the Attack Surface

This age-old security practice holds true today. Give the attacker little or no options to launch an attack. You do this by removing old and unused tools and components from your supply chain, keeping your application codebase small and lightweight, and reducing infrastructure components to only the ones in use currently. Remove unnecessary users, and restrict the rights of users to what they need for their tasks. All this adds up to bolster your system’s security posture.

Scan Every Step of the Supply Chain

Since every step is vulnerable to attack, code should be checked at every step of the process. This scanning should not be done manually by any person, rather, it is the job of dedicated software scanning tools. The scans should run continuously, and report on any irregularities, vulnerabilities, and violations.

Ensure Partner Applications and Integrations are Secure

Partners and vendors should be expected to adhere to the same standard set for your organization. Integrations should be carefully vetted, and regularly updated to be free from vulnerabilities. Routine checks should be run on how partner apps access and use data from your organization.

Leverage Security and Penetration Testing 

Playing devil’s advocate is necessary to ensure high levels of security. Encourage a culture where testers are encouraged to break things, and test the limits of the system. Incentivize ethical hackers to look for vulnerabilities, and even create bug bounty programs for valiant efforts. All this will ensure you stay a step ahead of attackers.

Ensure Software Is Up-to-date

With the numerous software packages being used in a supply chain today, updating software could be a full-time job for security professionals and developers alike. Any help they can get to make this job easier will strengthen the security of the system. A solution like Aqua can keep track of all software components and notify if any of them are outdated. 

Use Dependency Graphs

Dependency graphs are a way to visualize how your system components rely on each other. They are useful to trace the impact of an attack, and to take proactive measures to ensure every part of the system is up-to-date and compatible with other parts.

What Are the Top Challenges of Supply Chain Security?

Lack of Visibility

With different people owning different parts of the supply chain, and silos existing between teams and tools, monitoring is a big challenge with software supply chains. Gathering all the data from every step and consolidating it into a single place is a challenge, but it is necessary for security.

Error-Prone Manual Processes

Automation of processes is a key tenet of CI/CD. However, what happens in reality is that CI/CD is only semi-automatic with a lot of manual intervention every step of the way. Organizations that compromise on automation and settle for manual operations face vulnerabilities due to human error or bad actors within the organization. Even for organizations that manage to fully automate their supply chain processes, the risk is to establish controls and security checks. Without this, automation can be harmful as bad things can escalate quickly.

Supply Chain Complexity

Integrations are required to create a seamless CI/CD pipeline using various best-of-breed third-party tools. They are also required to enable custom workflows involving third-party vendors and partners. These integrations are a breeding ground for vulnerabilities and are easy pickings for attackers.

Mishandling of Secrets

Sensitive information comes in many forms like passwords, tokens, encryption keys, and hashes. This secret information cannot be hard-coded into the application, or stored in unencrypted files. They need to be handled by purpose-built secrets management tools. Yet, learning this new way of handling secrets is not a high priority for Devops teams, resulting in compromised security.

Lack of API Security Practices

APIs are the glue that hold cloud-native systems together. They are a gateway for third-party systems to access an organization’s services. If they are compromised, it’s easy to gain access to deeper parts of the system.

Vulnerabilities in Open Source Code 

Log4j is the most recent and most well-known of the open source vulnerabilities. However, there have been many such instances of open source code being neglected by their maintainers. There is no funding for these projects, so it’s not surprising that they become orphaned after a while. The onus is on the company using these open source tools to ensure their security.

Vulnerable or Unpatched Software

IoT systems, and even many legacy software systems are not actively maintained, and their firmware or software becomes outdated. It is a challenge to keep checking for outdated software and removing them from your system, but it is required if you want an air-tight system end-to-end.

How Aqua Protects Against Software Supply Chain Attacks

Aqua software supply chain security solution scans every step of the CI/CD pipeline looking for vulnerabilities, and reports on any anomalies. With readymade integration for the top CI/CD tools like GitHub, GitLab, Jenkins, and more, Aqua has you covered no matter which CI/CD tooling you use. 

Aqua covers the supply chain end-to-end and consolidates all this monitoring data in a single place and delivers alerts on them in real-time. This is a powerful and actionable way to fight security threats to your software supply chain. Leverage Aqua and bring deep visibility and greater security to your software supply chain.