New guidance highlights software supply chain risks & tips on how to identify, assess, & mitigate risks.
News about last year’s SolarWinds attack was industry altering. Now, after that incident, 2 US Govt. agencies are issuing guidance to software vendors & customers on how they can be better equipped to defend against future attacks.
This week the US Cyber-Security & Infrastructure Security Agency (CISA) & the US National Institute for Standards & Technology (NIST) released Defending Against Software Supply Chain Attacks (.PDF).
Targeting Lesser Known
A supply chain attack is an attack usually carried out by targeting lesser known or less secure elements in the software supply chain. 3rd-party providers, vendors, or partners with weaker security are often a common target.
CISA & NIST observed that attacks, especially of late, have been carried out by either hijacking a vendor’s updates, usually by hacking their network, using the code-signing system to falsify trust & validate code, & by compromising open source-code that is in 3rd party code.
Common Attack Techniques
This document, released on Mon., gives an overview on software supply chain risks, examples of common attack techniques, & recommendations for developing & overseeing a risk management program.
It encourages readers to think of any product they’re considering purchasing & implementing through the lens of 1 of these programs, like NIST’s Cyber Supply Chain Risk Management (C-SCRM) or Secure Software Development Framework (SSDF).
NIST’s C-SCRM can help organisations identify, assess, & mitigate risks in a distributed supply chain ecosystem. It is not a new concept, but dates back to 2016, but NIST’s C-SCRM was last updated this month, so its directives are timely.
SSDF is newer & was originally published in April 2020. This framework relies on secure software development practice guidance from BSA, OWASP, & SAFE Code. The guide’s aim is to help reduce the number of vulnerabilities in software & mitigate the impact of exploited vulnerabilities.
The guidance is just that, guidance; but as seen in SolarWinds, malicious, barely detectable vulnerabilities can still find their way in, even after due diligence.
So, this is why in their document CISA & NIST are also encouraging organisations to have a vulnerability management program. By having a way to scan, identify, triage, & mitigate vulnerabilities, businesses can help put right any issues that arise in software.
Ensuring software follows a software development life cycle, or SDLC, 1 that has SSDF roles & security requirements can help organisations increase the resilience of their software too.
Organisations should also do these things to mitigate vulnerabilities post-deployment by obeying the following:
- Archiving & protecting each release of software so that the vendor can analyse, identify, & develop mechanisms to eliminate vulnerabilities discovered post-release.
- Maintaining processes, & even a formal program, to identify & confirm suspected vulnerabilities in software, whether identified by the vendor, its customers, or 3rd-party researchers.
- Establishing an assessment, prioritisation, & remediation approach that enables vulnerabilities to be remediated quickly
There are a handful of additional variables to consider around software procurement & deployment. The new guide is by no means exhaustive, but it should give organisations a baseline on best practices to follow if they are not already.