Don’t risk being the next SolarWinds: Software supply chain security and risk management

by | Feb 17, 2021 | Blog

Share This Story, Choose Your Platform

The SolarWinds cyber attack has been getting a lot of press ever since it hit the headlines back in December, and rightfully so. The attack impacted many major companies, as well as U.S. federal agencies. The possible orchestration by Russia only increased the chatter around the incident.

While it will likely be months before we know the full extent of the damage, we can (and should) heed the lessons of the attack today. All companies must devote more attention and resources to software supply chain security as part of a more comprehensive security risk management program.

Brief overview of the SolarWinds hack

You’re probably already familiar with the details of the SolarWinds hack, but a quick outline of what transpired is important for understanding what companies should do to protect themselves moving forward.

The attack most likely began back in March of 2020, when attackers gained access to the company’s Orion software system, a network and application monitoring platform that is used by more than 30,000 companies. The attackers inserted malicious code into Orion.

Then, as part of a “normal” software update release, SolarWinds unknowingly sent out an update containing this malicious code. This created a backdoor for the attackers into the IT systems of SolarWinds customers who downloaded the update. Once inside these organizations, the attackers installed additional malware, distributed trojanized updates to users, and gained access to confidential data.

As many as 18,000 SolarWinds customers downloaded the infected update. The list of victims is a long one, and includes 425 of the U.S. Fortune 500, the top 10 U.S. telecommunications companies, and the top five U.S. accounting firms. Companies such as Microsoft, Intel, and Deloitte are on the list, as well as the Department of Homeland Security, the Pentagon, and the State Department. Cybersecurity firm FireEye was also among the victims, a breach that made headlines of its own.

The attack went undetected for months, increasing the risk that confidential information was jeopardized. Recent findings discovered the attack used malware similar to that previously used by a hacking group that allegedly works on behalf of Russia’s FSB security service, although the country denies any involvement in the incident.

The SolarWinds hack is one of the largest cyber attacks in recent history. It will take a lot of time and resources before companies and federal agencies can be confident their confidential data has not been compromised.

As the investigations continue, one thing we know for sure is that the incident is a wake-up call to companies and government agencies about the importance of a more proactive approach to cybersecurity and specifically to software supply chain security. 

What is software supply chain security and why does it matter?

The SolarWinds hack was a software supply chain attack. The software supply chain covers everything that goes into the building of a piece of software, from development, throughout the continuous integration and continuous delivery (CI/CD) pipeline, and into production. It includes the code and binaries, as well as who wrote the code, licensing information, different versions of the software—in essence, anything and everything that touches or impacts the software during the development and deployment process.

A direct supply chain attack (such as the SolarWinds event) affects software while it is being developed or upgraded. This type of attack occurs when malicious code is added to one component of the software and is then distributed to the targets as part of the overall software package.  In short, SolarWinds unknowingly distributed the attack for the attackers. Its customers installed the “trusted” software complete with its backdoor.

This is no simple feat, and it allows attackers to get inside of a trusted piece of software (making it quite dangerous). The attackers also benefit from being able to attack many targets at once as the software is distributed and downloaded.

A Simpler Approach for Hackers

While inserting malicious code into a vendor’s application is extremely difficult, according to research by Synopsys a similar (potential) attack vector exists in up to up to half of commercial software.  The 2020 Open Source Security and Risk Analysis (OSSRA) report analyzed over 1,200 applications and found that 75% of the codebases included open source components with known vulnerabilities, and 49% of the codebases with high-risk vulnerabilities.

Hackers are rational actors; anything that makes their jobs easier is good.  Vulnerabilities in open source components offer a simple attack vector because most organizations poorly track the open source they use, and exploits for these vulnerabilities are often available through public websites and popular tools.  Rather than work to find zero-day vulnerabilities in custom code (a difficult and time-consuming task) attackers can simply use publicly available exploits for popular open source components as a first attempt.

The results of such attacks can be equally as damaging to the victimized organization.  The 2017 breach of credit report company Equifax, which exposed personal information on over 160 million consumers, was the result of an unpatched vulnerability in the Apache Struts open source component.  The breach forced the organization’s CEO, CIO, and CISO to resign and resulted in a $1.38 billion class action settlement.

The good news is that 85 percent of vulnerabilities in open source code are disclosed and have a patch available. But your security and development teams need to make sure they stay on top of those patches.

We have some best-practice tips to share to help organizations improve software supply chain security (and application security as a whole):

  • Take a DevSecOps approach—Application security must be a part of the software development process from day one, with development and security team members working together. Everyone needs to understand and appreciate the importance of AppSec.
  • Keep a running inventory—Security analysts and developers need to keep a running log of what open source components and third-party software are being used within the organization. Since thousands of new vulnerabilities are disclosed each year, it’s also important to go beyond a basic inventory and know the security risk associated with each component.
  • Actively manage your dependencies—If a new security vulnerability is identified, your team needs to determine immediately if your organization is affected. If it is, the latest patches and updates should be installed right away. Your security and development teams also need to stay on top of changes made to applications and the network, as these may introduce new dependencies that need to be monitored for vulnerabilities.
  • Use Software Composition Analysis (SCA) tools—Software Composition Analysis (SCA) tools analyze applications for third-party and open source components to detect vulnerable code. They are vital in making sure third-party and open source components don’t contain vulnerabilities that put your organization at risk.

A lesson in security risk management

While the SolarWinds hack has drawn a lot of attention to the software supply chain, the larger issue here is one of security risk management. Organizations need to invest in the proper tools to monitor and maintain the security and associated risk of all software applications (whether they are home-grown or third-party) and the networks where these applications are running. Companies have too much to lose if a vulnerability is exposed or a breach occurs.

One of the smartest investments organizations can make to help manage application security more effectively is in an Application Security Orchestration and Correlation (ASOC) tool. An ASOC tool makes it possible to scale the AppSec process, so security analysts can work as quickly as developers without taking shortcuts that can jeopardize your applications and the data they house.

Gartner defines ASOC tools as those that “streamline software vulnerability testing and remediation by automating workflows. They automate security testing by ingesting data from multiple sources (static, dynamic, and interactive [SAST/ DAST/IAST], software composition analysis [SCA], vulnerability assessments, and others) into a database. ASOC tools correlate and analyze findings to centralize and prioritize remediation efforts. They act as a management layer between application development and security testing tools.”

We won’t go into every single benefit of ASOC tools, as we have written about them before. But there are five key advantages worth revisiting here that make it easier for companies to manage the risk associated with applications and the larger network.

1.   Centralized management and standardization of AppSec

A main feature of ASOC tools is tool orchestration, which enables security analysts to use previous raw remediation activity to select an optimal mix of security testing tools for each application within the organization. The rule set for each AppSec tool can be optimized for each development pipeline based on various criteria, such as the criticality of the application and regulatory compliance requirements.

Tool orchestration allows the AppSec team to maintain control over security scans, regardless of how many different development teams are working on projects. Development teams can still run whatever scans they want and share that data with the AppSec team, but orchestration allows the AppSec team to make sure that specific scans are always run—creating a consistent and standardized AppSec process across the enterprise.

2.   A “single pane of glass” view

ASOC tools provide a single pane of glass (SPOG), 360-degree view of AppSec through a unified dashboard that correlates and displays data from all of the AppSec tools being used. A single pane of glass view makes centralized risk visibility, situational awareness, and continuous security monitoring of AppSec possible.

3.   Prioritization of vulnerabilities

The Code Dx ASOC tool also has a Triage Assistant that further improves the automation process. A machine-learning classifier learns which issues and vulnerabilities to act on based on prior decisions. Triage Assistant is tailored specifically to each individual organization and reduces the number of false positives, noise, or less-important results security team members have to sort through. Security analysts and developers know which issues to address first and don’t waste time researching potential vulnerabilities that don’t pose a real threat to your organization.

4.   Deduplication and correlation of AppSec testing results

As we mentioned, organizations are usually running a combination of AppSec testing tools on each application. However, each tool produces results in a different format, and the same potential issue may be found by multiple tools. It takes a lot of time to weed through results from multiple tools to remove duplicates and figure out which vulnerabilities are real and/or pose the highest threat.

ASOC tools eliminate these issues with:

  • A single, central hub for application security
  • Support for commercial SAST, DAST, and IAST tools, as well as SCA tools and infrastructure tools
  • Automatic correlation of results from multiple application security tools and manual testing into a single set of results
  • Integration with popular development environments and issue-tracking tools
  • Inclusion of tools to track and remediate vulnerabilities

These features allow you to quickly identify where the most significant risks are and do something about them before they become a problem.

5.   A project risk score

Our ASOC tool comes with added functionality that assigns a risk score to each project. The score is based on a percentage score, which is generated from the number of vulnerability findings in custom code and third-party components.

It provides a letter grade so you can get a quick sense of the overall quality of a given project. The risk score helps managers and executives monitor progress on application security over the life of a project and quickly identify potential problem areas. Mitigate your risk of a breach while transforming your security and development teams into a collaborative group that works together more quickly and efficiently by investing in the right tools to keep your applications and network secure. Contact us today for a demo of our ASOC tool to find out how you can amp up your AppSec efforts at scale across the enterprise and reduce your risk of being the next SolarWinds.


Share This Story, Choose Your Platform