For reasons we all know, software supply chain attacks took on new meaning near the end of 2020. This hasn’t changed over this year. One of the best modern ways to combat these cyberattacks is to integrate a secure software development framework (SSDF) into a vendor’s software development life cycle (SDLC). Why is this such an important way to prevent software supply chain attacks? And how can you put it in place?

Recent Cyberattacks Show Attackers’ Tactics

To illustrate, the following three supply chain attacks made headlines in the first half of the year.

Throughout December 2020 and January 2021, a firewall vendor released a patch for four vulnerabilities affecting its file transfer application. The new year began with dozens of businesses and government entities announcing they had suffered a breach as a result of the software flaws. Wired reported that many of those incidents involved extortion at the hands of the Clop ransomware gang.

Other attackers struck with four zero day flaws in an email server product. The software developer released patches to address the flaws on March 2 — after a “highly skilled and sophisticated actor” began exploiting the flaws as part of a series of attack campaigns. The software fixes didn’t prevent other threat actors from seizing on the weaknesses and spreading more malware strains.

In June, researchers uncovered software supply chain cyberattacks involving an Android emulator for PCs and Macs. Threat actors compromised the update mechanism and used it to distribute three different malware families. In doing so, the attackers infected an untold number of users who used the emulator to play Android games on their computers.

All three of the supply chain attacks involved similar techniques. Each of them involved some attempt by threat actors to perform network reconnaissance of their victims’ machines. This gave digital attackers crucial information that they could have used to exfiltrate sensitive data or engage in other attacks.

How the SSDF Figures Into the Software Supply Chain

The U.S. government is paying attention to software supply chain cyberattacks like these. The White House made improving software supply chain security one of the core objectives of an executive order released in May 2021. In addition, the Cybersecurity & Infrastructure Security Agency (CISA) partnered with the National Institute for Standards and Technology (NIST) to publish a resource around the topic of software supply chain attacks.

Let’s examine this in more detail below.

Defending Against Software Supply Chain Cyberattacks

In their guide, CISA and NIST discuss some of the most common types of supply chain cyberattacks. One of those tactics is hijacking update mechanisms, such as what we saw above. The resource goes on to recommend guidelines that customers can use to keep themselves safe before discussing how software vendors can minimize the risk of a supply chain compromise.

That’s where the SSDF comes in. It’s key to include an SSDF in a vendor’s SDLC. An SSDF consists of four types of practices that help secure the SDLC.

  • Prepare the Organization: In this stage, the affected business or agency must ensure that their people, processes and tech can support secure software development. They can do that by defining relevant rules for software development, adding relevant roles and responsibilities and putting a supporting tool chain in place, as well as defining criteria for secure software checks.
  • Protect the Software: Next, it’s time to safeguard software against tampering attempts and instances of unwanted access. As part of that process, you need to protect code, create a pipeline for making sure new software releases are trustworthy and archive and protect each software release.
  • Produce Well-Secured Software: Next, it’s time to develop secure software with a minimal number of flaws. Towards this end, your employees need to design software that matches your security needs and repair risks, verify that the design of their software complies with their software requirements and reuse secure software (when possible) instead of doubling up.
  • Respond to Vulnerabilities: The final duty is to identify flaws in software releases, address them and prevent similar bugs from emerging in the future. This involves an ongoing process of finding and confirming those flaws. From there, you need to triage and patch those weaknesses, as well as find their root causes.

Augmenting the SSDF With Human Controls

The SSDF provides software vendors with a framework by which they can implement security measures and cut down on cyberattacks. But, using an SSDF won’t accomplish much unless software vendors secure buy-in from some key stakeholders.

In particular, vendors need to work with their developers to make sure they involve security in their work. One of the best ways they can do this is by investing in security training. This can start by training a few people as mentors to elevate the importance of security across the entire department. They can then leverage ongoing training to educate their developers about some of the most common types of risks.

Once that culture is in place, vendors can look to build on it. They can do that by revising their job postings to emphasize the need for security training and skills among applicants. They could also create a suite of key performance benchmarks to reward developers for their secure behavior in the workplace.

A Coherent Structure Around Software Supply Chain Security

Software supply chain cyberattacks aren’t going away anytime soon. As such, it’s up to software vendors to secure their products. This requires a holistic approach. If organizations unite their people, processes and technology, they can build a coherent culture centered around software supply chain security.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today