The software supply chain is more of a web than a traditional chain. That’s a nice way of saying it’s a mess. In dev meetings, it can seem like each tiny functionality requires 3,020 third-party web apps to function.
Economically, this architecture makes total sense – why build brand-new code when you can use existing stuff? – but it also demonstrates how over reliant our apps are on other pieces of software.
From an application security perspective, this means that your accounting software is built upon a house of cards. You’re at the cybersecurity mercy of not one dev team – but cumulatively thousands. Let’s break down the software supply chain and see how these vulnerabilities arise.
CCP Spyware in Design
The first phase of software development outlines a software’s goals and structure. It’s here that the team establishes which features are supplied through third-party software. Relying on one compromised module can open up gaping holes in security. In 2016, Android phone manufacturer BLU installed a third-party component to their automatic updater. This turned out to be spyware operated by the Chinese government.
The updater collected the location, contacts and activity of thousands of its customers. Data from text messages and calls were returned to the server every 72 hours, while location data and app use was sent every 24 hours. This was then sold as marketing data. Developer Shanghai Technologies states that their software is active on 700 million devices worldwide.
Massive Data Loss in Development
Once the third-party software has been chosen, the dev team starts building. Despite microservices fragmenting the coding process, there’s plenty of protective measures to keep the in-development bugs at bay.
Unfortunately, the modern process of app development is focused on the MVP. When an app or update is released, it’s stress-tested by the real world; the devs are on a bug-fixing back foot.
Take the software development leaders SolarWinds. Their Orion application forms the basis of many IT monitoring systems thanks to their financial accessibility and ease of use. In 2019, SolarWinds excitedly released version 2019.4.
Almost a year later, a serious vulnerability was discovered in this update – and every one since. This oversight had allowed a malicious agent connected to the Russian government to silently install a backdoor.
By accessing and modifying one module’s dynamic link library (DLL), the downloader can communicate with the agent’s own third-party servers. After a dormant period of 2 weeks, the DLL begins to retrieve and act on commands, such as receiving and accessing files.
It uses legitimate file signatures, and names itself according to the victim’s IT environment. It also uses an IP address originating from the same country as the victim. This uber-stealthy malware was named SUNBURST.
SUNBURST was found to have critically infected the US Government. It’s unclear precisely what data was collected, but email correspondences; Covid-19 vaccination plans; and next-generation weapon technologies are all thought to have been funnelled to the Russian government.
Data Spillage in Disposal
Following the software supply chain to the very end, disposal is seeing a data crisis. In 2019, Josh Franz conducted an experiment. He spent $600 on tech from second-hand resellers, collecting an impressive 85 devices, including phones and laptops. He then wrote and ran PowerShell and Python scripts to rip the data from these devices, and deposit it nicely onto a USB drive.
Only 2 of these devices had been wiped. Across the 83 unwiped devices, Josh found hundreds of cases of personally identifiable information. This included 600 email addresses, 50 dates of birth, 20 credit card numbers, and even 2 passport numbers. Data leakage from improperly disposed tech is so common that Franz found Social Security numbers for $1 each on the dark web.
Massive cybersecurity holes exist at every stage of the software supply chain: supply chain attacks rose 650% in 2021. And it’s your responsibility to both your business and your customers to keep that data secure. Here’s how.
Protecting Yourself and your Customers
Two major forms of app protection can be found in Web Application Firewalls (WAFs) and Runtime Application Security Protection (RASP).
A WAF is a shield that sits between an app and the internet. It monitors an app’s connection with the external world, and blocks any user activity perceived as threatening.
Specific behaviours chosen to be blocked – such as SQL injection – can be quickly and easily changed through policy modification. This format is known as a negative security model, focused on blocking patterns of malicious activity. It’s good to implement both negative and positive WAFs – some focused on blocking, others focused on allowing exclusive behaviours.
Whereas a WAF monitors the behaviours of those connected to an app, RASP monitors an app’s behaviour itself. When RASP detects an app running a security event – such as attempting to run a script, or access a file, it will terminate that action. One real advantage to RASP is its real-time analytical capabilities. Whilst the WAF defends an application’s perimeter, RASP can defend the internal workings of a system- even after a breach has occurred.
WAAP – easily mistaken for Cardi B’s hit single – stands for Web Application and API Protection. Arguably less of a bop, but far better at cohesive application protection seven days a week.
WAAP is an evolved form of WAF, incorporating app and API protection in its suite of tools. Whereas WAF is largely hardware-driven, WAAP is cloud-based. It’s also focused on automation and proactive – rather than reactive – protection.
For example, WAAPs protect against not only simple code injection, but automatically defend against and track broken authentications and outdated APIs. Care should be taken to consolidate a WAAP suite into your own business’ chain of analysis and response.
It’s Up to You
Today’s businesses are increasingly complex. As companies continue to incorporate widespread remote access – sometimes with only a simple VPN in place – attack surfaces become even larger. On the other side of the supply chain, developers are under increasing pressure to reduce their apps’ time-to-market. Agile development aids in this rapid turnaround – at the expense of solid security.
The reality is that large, upstream gaps in security will continue to be discovered and taken advantage of by malicious agents; businesses like yours must adapt to this evolving threat.