The Challenges of Securing a Software Supply Chain
One of the main concerns of IT security teams is how to meet the challenges posed by the increasing use of third-party platforms and services. The need for security that covers third parties applies to physical supply chains, software supply chains, and outsourcing contracts.
In his UK CEO Outlook 2021 report, KPMG found that 81% of executives considered protecting their partner ecosystem and supply chain to be as important as building their own organization’s cyber defenses.
In January 2022, the White House brought together government and private sector stakeholders to discuss initiatives to improve open source software security and how further collaboration can drive improvements.
US President Joe Biden has made software security a national priority. Its Cybersecurity Executive Order requires that only companies that use secure software development lifecycle practices and adhere to specific federal security guidelines can sell to the federal government.
The order also calls on the industry to advance the use of software bills of materials (SBOMs), which aim to make it easier for people and organizations that purchase software to understand what components were used to create the products they use.
Discussing the risks inherent in a software supply chain, Mike Gillespie, CEO and co-founder of independent security consultancy Advent IM, said, “We know that third-party breaches have been in the news for a few years. Not only does this show no signs of changing, but as we continue to work in remote and hybrid styles, the results of poor technology implementation and poor security risk management potentially expose further of organizations to each other. And we know all too well how quickly connections between supply chain partners are exploited these days. »
The latest available data from the UK Information Commissioner’s Office (ICO), covering the third quarter of 2021, revealed that 51% of organizations were hacked by a third party in the last 12 months. The ICO found that three-quarters of these breaches were due to third parties with overprivileged access.
Gillespie recommends that organizations strive to become more cohesive with better information flow for risk management. “Too few risk assessments start with a detailed, well-informed threat assessment, which means risk treatment is often flawed,” he says.
Open source security pipeline
Modern software development relies heavily on the use of open source components. These components themselves often attract other open source libraries, standing, as the saying goes, on the shoulders of giants.
In May 2021, Biden issued an executive order to improve software security by establishing baseline security standards for the development of software sold to the government, which requires software developers to maintain greater visibility into their software and to make safety data publicly available.
In the complex world of a software supply chain, the challenge for a chief information security officer (CISO) is not just to identify all the potential open source components that have been used in a software system. company, but also how to audit the maintainers of these projects. , to ensure they have secure coding practices in place and are patching vulnerabilities in a timely manner.
Since freely available open source code can be pulled from a repository such as GitHub and then incorporated into enterprise software, there is no guarantee that the enterprise software vendor will be able to pressure the maintainer of the code to fix any issues that arise. .
Peter Zaitsev, Percone
Raw open source software tends to be provided “as is,” without warranty or obligation on either side, says Percona CEO Peter Zaitsev. “Things happen on the basis of goodwill relations and negotiations,” he adds. “If you want guarantees – help and support, bugs fixed, old versions maintained, etc. – all this comes with commercial agreements with companies or individual developers.”
While the open source community talks about the project’s license, and any licensed code approved by an open source initiative is considered open source, Zaitsev says, “Most open source is useless abandonware – you can find dozens millions of such projects on GitHub alone. To be useful, an open source project needs more than a license – it needs at least good governance.
This, he says, must, at the very least, stipulate how decisions are made about what goes into the project and how benevolent developers, acting in the interests of users, can contribute to the project.
“That’s why, when choosing open-source software, it’s a good idea to choose software with a proven track record, backed by a reputable non-commercial organization (e.g., CNCF) or directly interested commercial vendor. .on the market,” adds Zaitsev.
Many companies contribute open source code that they have developed internally to solve a business problem, but they have no commercial interest in that code. An example of such a project is RocksDB, a Facebook-managed storage engine that manages how data and metadata is stored.
Apache Kafka Streams is one of the open source components that uses RocksDB. In a blog post he co-authored, Bruno Cadonna, software developer at Confluent and Apache committer at Kafka, describes RocksDB as a “highly adaptable, embeddable and persistent key-value store”, adding that “many companies use RocksDB in their infrastructure”. get high performance to serve the data”.
In the blog, Cadonna and co-author Dhruba Borthakur, CTO at Rockset, describe how to optimize RocksDB for Kafka Streams, to implement highly scalable and elastic applications and microservices that process and analyze data stored in Kafka .
The blog post illustrates how third-party contributors in the open source community rely on open source components to develop new products and services.
RocksDB technology is included in Percona Distribution for MySQL, and MongoRocks is a version of RocksDB for MongoDB. While Confluent, Rockset, and Percona have business offerings built on RocksDB, there’s a question of how organizations make things change in a timely manner.
“We’ve always found Facebook’s RocksDB team to be quite practical and reasonable, although as with all internal open source, they naturally focus on their own needs,” Zaitsev says. “They’re not building a business around RocksDB.”
The Software Supply Chain Problem
Beyond the need for commercial contracts with service level agreements to support bug fixes and security vulnerabilities in open source components, CISOs must have an understanding of the complete software supply chain of end-to-end on which the organization’s enterprise architecture is built.
Petra Wenham, a BCS volunteer with a long experience in information security and information assurance, warns that the use of third-party platforms and services and changes in the way the infrastructure A company’s computer is provisioned, giving malicious actors a much larger attack surface to play with. Once access is gained, the attacker has a wider range of opportunities to move around a target company’s IT infrastructure.
“Assuming the security team has a solid understanding of the organization’s business and its internal and external processes, a good starting point would be to map all processes and sub-processes – IT, paper and others,” she says.
“The objective of this mapping is to identify the different boundaries between applications and services, including where third parties themselves use third-party services. By doing so, you should be able to identify the type of control you should have over individual services and the interconnection boundary between services. »
Elizabeth Huthman, cyber director at KPMG UK, points out that some organizations are making smarter use of technology to improve third-party risk management programs. This, she says, means going beyond one-time assessments, which can be outdated within a week, to using continuous monitoring of controls, which allows them to have an always-live view of the risk environment.
According to Huthman, some KPMG clients are integrating governance, risk and compliance (GRC) tools for rich reporting, rather than relying on spreadsheets to manually enter security metrics. Others are also trying to get a better idea of their IT environment to know if another attack like Log4j will happen again and which vendors in the organization are the most susceptible.
But, as Huthman points out, “it’s a huge challenge” to understand risk downstream in a supply chain. “A lot [of organisations] dig into the fourth party layer due to dependencies between third parties and fourth parties. I think as an organization we have to take a stand. You’re not going to go all the way with every vendor. You have to extrapolate. »
The point raised by Huthman is relevant to how CISOs manage the security risk inherent in complex enterprise architectures built on layers of highly interdependent software components, some of which may originate from organizations – or are based on open source components. source – where the level of security may be at a lower level than the business normally deems acceptable.
The reason a large company may choose to work with smaller, more agile organizations, says Martin Tyley, head of cyber at KPMG UK, is that it allows them to innovate faster. “Their skills are in agility and they are quick to innovate, but those traits come with more risk,” he says. “Sometimes you want someone else to do amazing things and deliver great things.”
But that will come at a risk. CISOs will need to balance the risk to the organization with the risk associated with limiting the ability to innovate by leveraging what third-party vendors have to offer.