With the emergence of high-profile software supply chain attacks like Log4j, SolarWinds, and Codecov, it's clear that supply chain attacks are a rapidly growing threat that even the Biden administration has labeled a top priority. In fact, according to Gartner, by 2025, 45% of organizations worldwide will experience attacks on their software supply chains, a three-fold increase from 2021. And the risk of software supply chain attacks continues to grow as organizations shift more of their applications to the cloud and push their DevOps teams for faster time to deployment. When attacks are successful, the economic impact can be crippling. In addition, as malicious actors take control over their target's valuable data, this can affect not only the owner of the software but their users as well. So, what makes supply chain software so vulnerable?
Software supply chain attacks are unique in the world of cyber threats because attackers can use a single breach to target software components, which can then affect multiple companies' applications. Specifically, threat actors are looking for weaknesses in the software development pipeline, and once they find them, they can exploit these weaknesses to attack many companies at once.
Additionally, companies developing applications rely on open source, reused, and ready-made software components because it makes software development efficient and scalable. Unfortunately, the software supply chain is not as secure as it should be due to vulnerabilities in the components used to build cloud apps and infrastructure. Even if a component is believed to be secure when used, new vulnerabilities are emerging every day.
Defending against this risk is difficult for two reasons. First, there are hundreds of dependent packages maintained by open-source developers in a modern cloud-native application. Each of these dependencies carries a certain risk and can be a vector to another supply chain attack. This chain of dependency, similar to the concept of the supply chain, can soon become troublesome and difficult to manage Second, third-party packages are routinely imported into supply chains via infrastructure as code (IaC) templates that organizations don’t always inspect for vulnerabilities, and if unidentified, they often remain undetected.
In order to best protect the valuable and vulnerable software supply chains, there are three fundamental approaches organizations should be taking:
Understanding where and how software is created in your organization
Identifying where and how software is created can be one of the more difficult aspects of nailing down a strong shift-left strategy. Depending on the size of your company, this could run the gamut from straightforward to extremely challenging. During this step, you must inventory not only the source of your software but also all of the version control systems and CI/CD pipelines that deliver this code. Ultimately, securing these pipelines is critical to preventing code injection and malware poisoning attacks - and prevention is key. By better understanding the flow of software development within your own organization, security teams are able to better identify opportunities to move security closer to development.
Creating a clear shift-left strategy or approach
The concept of shift-left says it's better to secure software during development than it is to try to secure it AFTER development or deployment. With a clear and well-defined strategy for securing your organization during software development, an organization can go a long way in preparing for today's ever-changing threat landscape. Proactively addressing these weaknesses and leveraging a shift-left approach to security is absolutely critical to maintain secure supply chains. The main goal: identify areas of weaknesses early on and leverage the appropriate tools to prevent potential issues from becoming a full-blown crisis later on. Your strategy should be like a living, breathing entity - and one that should mature over time as the organization, and potential threats, evolve. Perfection is not the goal, but iterations over time will be essential to creating a strong defense.
Identifying and implementing the right security guardrails
Quality assurance has always been part of the software development lifecycle. However, software quality has not historically included security. Every step of the software development process is an opportunity to give feedback and look for security issues. Securing your entire pipeline with a defense-in-depth philosophy where there are multi-layered checks and balances is paramount in containing incidents. If one mechanism fails, there are backup layers still in place to give the organization a fighting chance. The most effective security teams start small. They arm development teams with simple and effective tools that become part of the daily development routine.
Folding security into your software development processes will give you one of the most effective security return on investments. It's not always easy, but it's effective — and with today’s ever-evolving threat landscape that continues to target supply chain software, it's more important than ever to be diligent in your security efforts. Code security and cloud security tools can be a critical part of this, but process is just as important. Securing your organization’s supply chain software today can be your saving grace tomorrow.
Ankur Shah is Senior Vice President, Prisma Cloud products at Palo Alto Networks.