Across the globe, businesses of all sizes and across all industries are undergoing some form of I.T. transformation. In fact, companies have accelerated the digitization of their internal and external business operations by three to four years since a pandemic upended the world. While COVID-19 can be considered a major accelerant for this change, organizational leaders are also recognizing the strategic importance of embedding technology throughout their businesses.
For many, transformation will be driven by the adoption of third-party commercial off-the-shelf software deployed in-house, software-as-a-service (SaaS) applications that host sensitive data, and open-source third-party libraries that are used to build software. While the introduction of modern technology is a sign of needed progress, businesses shouldn’t overlook the potential security risks that come with all of this innovation. The preponderance of software supply chains will expose unsuspecting businesses in new and complex ways, pushing the boundaries of traditional security defenses.
Vulnerable software supply chains have even caught the attention of the U.S. government, confirming the urgency of this growing cybersecurity risk. In May, government leaders took the first step toward proactively addressing the potential threats lurking in a growing ecosystem of third-party dependencies. Executive Order 14028 outlines a plan calling for the government “to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” The E.O. puts particular emphasis on the security of critical software” which, the government notes, “lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.”
The National Institute of Standards and Technology (NIST) outlined the security measures for protecting critical software, placing a sharp focus on the defenses that are needed to protect data, not just the systems and network around it. This approach, which focuses on protecting the data and all paths to it, recognizes the intractable problem of third-party software applications and libraries that have direct access to sensitive data. As evidenced in the successful attacks carried out over the past several months, enterprise organizations must account for a vendor’s vendor or third-party software that underpins their applications and interfaces if we’re going to truly mitigate the threat of software supply chain attacks.
A Complex Ecosystem
Historically, companies have focused on the risk introduced by their immediate set of vendors and the critical software they rely on. That posture is no longer sufficient, as I.T. transformation pushes the boundaries of the traditional network and makes legacy controls less effective.
While a business may have the right security controls in place, it doesn’t mean its vendors across the software supply chain do. The security strategy can no longer rely on trusting everything from the ecosystem, even from partners and vendors. The expanding software supply chain, along with the complexity of modern applications, means vulnerabilities will be introduced at a greater velocity. To help address the growing scale of attacks within the software development lifecycle, organizations need to adopt a threat model that includes all parts of the supply chain, including nth-party code.
Modern applications are powered by a complex ecosystem of application programming interfaces (APIs), microservices and serverless functions. With more ephemeral workloads and distributed architectures, there’s no silver bullet for pre-production software analysis. Even in the most rigorous software development lifecycle (SDLC), the complexity of development means vulnerabilities will be introduced. This is again why protecting all paths to the data must be the fundamental strategy for organizations.
Tackling the Issue Head-On
Evidenced by earlier software supply chain attacks, bad actors are stealthily maneuvering within the software supply chain by exploiting the vulnerability in a third-party software connection, using it to move laterally and ultimately gain access to the target’s data.
Web application security must evolve and focus more on identifying run-time application behavior, such as whether third-party code is responsible for unwanted actions. Only by blocking unexpected behaviors can one prevent novel attack behavior. This will be critical as enterprise I.T. evolves into diverse, modern application environments.
Application scanning tools are great, but unlikely to identify compromised third-party software embedded in applications. Perimeter tools can be deceived by seemingly innocuous traffic from applications until the signatures are published. Lastly, while many businesses deploy endpoint security, this technology is often blind to application attacks, as they rarely need to touch user devices in the early stages.
Instead, businesses need to deploy runtime application self-protection (RASP) to detect and prevent attacks in real time and from within an application. This technology, recommended in NIST SP 800-53 Revision 5, can pinpoint attacks down to an exact line of code and automatically stop exploitation of a vulnerability, giving organizations the time needed to patch vulnerabilities on their own schedule.
To enable innovation and maintain a competitive edge, organizations will need to modernize their operations. Much of this transformation will be dependent on third-party applications and services.
However, software and application vulnerabilities are fundamental security issues, and companies need to take note. As such, they should put emphasis on their defenses, particularly the APIs underpinning their digital transformation.
With attackers finding stealthy ways to evade defenses and get access to the underlying data, it’s essential that the right controls are in place and the proper tools are being utilized to truly protect data and all paths to it.
Peter Klimek is director of technology, Office of the CTO, with Imperva.