For reasons we all know, software supply chain attacks took on new meaning near the end of 2020. This hasn’t changed over this year. One of the best modern ways to combat these cyberattacks is to integrate a secure software development framework (SSDF) into a vendor’s software development life cycle (SDLC). Why is this such an important way to prevent software supply chain attacks? And how can you put it in place?

Recent Cyberattacks Show Attackers’ Tactics

To illustrate, the following three supply chain attacks made headlines in the first half of the year.

Throughout December 2020 and January 2021, a firewall vendor released a patch for four vulnerabilities affecting its file transfer application. The new year began with dozens of businesses and government entities announcing they had suffered a breach as a result of the software flaws. Wired reported that many of those incidents involved extortion at the hands of the Clop ransomware gang.

Other attackers struck with four zero day flaws in an email server product. The software developer released patches to address the flaws on March 2 — after a “highly skilled and sophisticated actor” began exploiting the flaws as part of a series of attack campaigns. The software fixes didn’t prevent other threat actors from seizing on the weaknesses and spreading more malware strains.

In June, researchers uncovered software supply chain cyberattacks involving an Android emulator for PCs and Macs. Threat actors compromised the update mechanism and used it to distribute three different malware families. In doing so, the attackers infected an untold number of users who used the emulator to play Android games on their computers.

All three of the supply chain attacks involved similar techniques. Each of them involved some attempt by threat actors to perform network reconnaissance of their victims’ machines. This gave digital attackers crucial information that they could have used to exfiltrate sensitive data or engage in other attacks.

How the SSDF Figures Into the Software Supply Chain

The U.S. government is paying attention to software supply chain cyberattacks like these. The White House made improving software supply chain security one of the core objectives of an executive order released in May 2021. In addition, the Cybersecurity & Infrastructure Security Agency (CISA) partnered with the National Institute for Standards and Technology (NIST) to publish a resource around the topic of software supply chain attacks.

Let’s examine this in more detail below.

Defending Against Software Supply Chain Cyberattacks

In their guide, CISA and NIST discuss some of the most common types of supply chain cyberattacks. One of those tactics is hijacking update mechanisms, such as what we saw above. The resource goes on to recommend guidelines that customers can use to keep themselves safe before discussing how software vendors can minimize the risk of a supply chain compromise.

That’s where the SSDF comes in. It’s key to include an SSDF in a vendor’s SDLC. An SSDF consists of four types of practices that help secure the SDLC.

  • Prepare the Organization: In this stage, the affected business or agency must ensure that their people, processes and tech can support secure software development. They can do that by defining relevant rules for software development, adding relevant roles and responsibilities and putting a supporting tool chain in place, as well as defining criteria for secure software checks.
  • Protect the Software: Next, it’s time to safeguard software against tampering attempts and instances of unwanted access. As part of that process, you need to protect code, create a pipeline for making sure new software releases are trustworthy and archive and protect each software release.
  • Produce Well-Secured Software: Next, it’s time to develop secure software with a minimal number of flaws. Towards this end, your employees need to design software that matches your security needs and repair risks, verify that the design of their software complies with their software requirements and reuse secure software (when possible) instead of doubling up.
  • Respond to Vulnerabilities: The final duty is to identify flaws in software releases, address them and prevent similar bugs from emerging in the future. This involves an ongoing process of finding and confirming those flaws. From there, you need to triage and patch those weaknesses, as well as find their root causes.

Augmenting the SSDF With Human Controls

The SSDF provides software vendors with a framework by which they can implement security measures and cut down on cyberattacks. But, using an SSDF won’t accomplish much unless software vendors secure buy-in from some key stakeholders.

In particular, vendors need to work with their developers to make sure they involve security in their work. One of the best ways they can do this is by investing in security training. This can start by training a few people as mentors to elevate the importance of security across the entire department. They can then leverage ongoing training to educate their developers about some of the most common types of risks.

Once that culture is in place, vendors can look to build on it. They can do that by revising their job postings to emphasize the need for security training and skills among applicants. They could also create a suite of key performance benchmarks to reward developers for their secure behavior in the workplace.

A Coherent Structure Around Software Supply Chain Security

Software supply chain cyberattacks aren’t going away anytime soon. As such, it’s up to software vendors to secure their products. This requires a holistic approach. If organizations unite their people, processes and technology, they can build a coherent culture centered around software supply chain security.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…