Home Networking service How to prevent supply chain attacks by securing DevOps

How to prevent supply chain attacks by securing DevOps


Best practices for securing the software supply chain

Photo by Andy Li on Unsplash

Following several high-profile supply chain attacks, regulators and the media are increasingly focusing on third-party software risks. The certification of the Department of Defense Cybersecurity Maturity Model, established on January 31, 2020, was the first attempt to create a supply chain security compliance mandate. Only a few months later, the threat actors infamously gained access to the SolarWinds build environment and inserted a vulnerability directly into a security update that was then pushed into production. This combination of insider threats and supply chain attacks ended up compromising customers who installed the update, including US federal agencies. In response to the growing threat of supply chain attacks, the Executive Decree on Improving the Nation’s Cyber ​​Security established the Software Nomenclature (SBOM) requirement. Whether for financial or political gain, threat actors focus on supply chain attacks. Software developers can prevent supply chain attacks by securing DevOps.

What is a supply chain attack?

In a supply chain attack, malicious actors target the cybersecurity weakness of a third-party service provider and then use the provider’s product to gain unauthorized access to businesses using the product or service.

A software supply chain attack can come from any of the following services or products:

  • Open source or third party code used in software development
  • Open source platforms
  • Business or technological partners collecting, storing or processing data
  • Cloud service providers

Threat actors can use a software vulnerability that allows them to deploy malware into a customer’s systems or networks. For example, in the SolarWinds supply chain attack, threat actors inserted malicious code into versions of the company’s Orion platform. The threat actors then used this vulnerability to gain unauthorized access to SolarWinds clients who installed the update. The most recent figures indicate that the attack directly affected 9 federal agencies and 100 private companies, and attackers continue to attempt attacks against Microsoft.

Supply chain attacks are becoming more and more frequent. In the first quarter of 2021, the number increased by 42%, affecting 137 organizations from 27 different vendors.

What is the impact of an attack on the supply chain?

Supply chain attacks can have both short and long term impacts. Additionally, these attacks affect multiple areas of business, not just IT.

Financial impact

The financial impact of a supply chain attack is probably the most obvious and of the most interest. For example, a 2017 data breach that took advantage of a software vulnerability cost a consumer credit reporting company approximately $ 2 billion. More recently, threat actors used a zero-day vulnerability against Kaseya, a provider of endpoint management and networking technology. Kaseya’s customers were primarily managed service providers who each had multiple end customers themselves. Threat actors were able to reach these end customers with a ransomware attack that affected approximately 1,000 organizations, mostly small businesses. Although this is a supply chain attack, it is not considered an insider threat attack. But, the researchers specifically noted that while the threat actors did not “deliver an implant with their exploit,” they could have had it.

Understanding the direct financial impact of a supply chain attack includes examining the following costs:

  • Customer reviews
  • Legal
  • Reply
  • Crisis management
  • Work interruption

Compliance violations

While compliance violations have a financial impact, they also include operational costs. A supply chain attack often occurs when a company does not install a security update or does not effectively monitor security.

The costs of compliance violations include:

  • Penalties / fines
  • Remediation
  • Additional audits to prove continued compliance

Unsubscribe rate (reputation)

Everyone talks about the reputational risk associated with supply chain attacks, but quantifying the impact is often more difficult.

For example, a survey asked 1,000 customers if they would still do business with a business after a breach. Respondents indicated that after a data breach, they would be less likely to maintain a consumer relationship with:

  • Retail store: 58%
  • Hotel chain: 80%
  • Financial institution: 83%
  • Social media site: 86%
  • Carpool service: 93%

How to prevent supply chain attacks?

With threat actors focusing more intensely on supply chain attacks, integrating security into the development process becomes critical. Software developers should embrace DevSecOps to prevent their applications from being used in a supply chain attack. They can do this by creating standards that ensure coding best practices, especially when third-party code is involved.

Demonstrate due diligence

Part of setting coding standards should be reviewing open source code before incorporating it into an application. Developers should treat open source code like a third party vendor. This means building due diligence into the process and reviewing open source code before using it.

As a good practice, teams should ensure that they:

  • Create and maintain an inventory of all open source libraries used
  • Note whether the code is used for internal or external projects
  • Document how they plan to use the open source component
  • Check if the repository owner provides security updates
  • Review how often the owner updates the repository

By applying vendor risk management processes to code, the development team integrates governance into their practices.

Third party code monitoring

Whether it’s securing their own code or open source code, developers need to constantly monitor their code. While developers are often concerned that security testing will reduce their productivity, it is a fundamental strategy for preventing supply chain attacks.

Threatening actors know vulnerabilities as soon as, if not before, they are made public. If a team uses an open source software (OSS) library with a known vulnerability, threat actors can use the weakness as a way to arm the application. Problematically, a report notes that only 23% of organizations engage in scanning for software vulnerabilities in the construction pipeline.

Developers should incorporate static and dynamic assessments into their build processes to ensure continued security.

Prioritize remediation

For developers, prioritizing remediation is often the hardest part of securing the software development lifecycle. Not all vulnerabilities are actually or potentially exploitable. Developers need visibility to know if the vulnerability is accessible.

Software Composition Analysis (SCA) can tell if an application’s code calls an open source library with known vulnerabilities and helps prioritize vulnerabilities. However, 39% of companies wait to run SCA scans until the testing phase, when remediation is more difficult and more expensive.

Teams should research vulnerabilities and prioritize remediation strategies as early as possible in the development process to improve security and lower overall costs.

Securing the DevOps Process Prevents Supply Chain Attacks and Reduces Costs

Integrating security into the software development process prevents supply chain attacks as developers remove vulnerabilities before the application goes into production. Additionally, by continually reviewing code during the construction phase, organizations reduce costs.

Equally important, developers need visibility into whether a vulnerability presents an actual or potential risk. A first step is to determine whether the vulnerable code is invoked or not, but this is not enough to determine “accessibility”. Even though the code is called, the development team may have assembled it in a way that makes the vulnerability inaccessible from the attack surface, so spending time fixing it results in unnecessary development costs. Teams must know how to concentrate their efforts in order to be able to deliver products on time.

By integrating vulnerability monitoring and prioritization into the construction phase, teams can meet deadlines and reduce risk. Developers can build security into their processes without reducing their productivity. ShiftLeft’s SCA and Static Application Security Testing (SAST) deliver the speed and visibility teams need.

At ShiftLeft, we’ve worked to make open source security more manageable by helping you focus on exploitable open source vulnerabilities. Speak with us and we can help you assess your risks and recommend more efficient processes and procedures.

How to Prevent Supply Chain Attacks by Securing DevOps was originally posted on ShiftLeft Blog on Medium, where people continue the conversation by highlighting and responding to this story.

*** This is a Syndicated Security Bloggers Network blog from ShiftLeft Blog – Medium written by the ShiftLeft team. Read the original post at: https://blog.shiftleft.io/how-to-prevent-supply-chain-attacks-by-securing-devops-ec466efd6f1f?source=rss—-86a4f941c7da—4

Source link


Please enter your comment!
Please enter your name here