Supply Chain Risk Management (SCRM) The Continued Increasing Wave of Software Supply Chain Cyber-Attacks

What is a Software Supply Chain Cyber Attack?

A software supply chain cyber-attack involves infiltrating an organization's software supply chain to compromise the software itself or its development processes. Unlike traditional cyber-attacks, which target a company's defenses directly, these attacks exploit vulnerabilities in third-party software components and libraries used by the organization. By compromising a single software supplier, attackers can potentially gain access to the networks of multiple organizations that use the affected software, creating a cascading effect of security breaches.

The Growing Software Supply Chain Threat Landscape

The threat landscape for software supply chain attacks is becoming increasingly dire. According to various reports and studies, including the NetRise Supply Chain Visibility and Risk Study, the frequency and severity of these attacks are escalating at an alarming rate. Below we highlight a few key statistics to show the continued rapid escalation of the software supply chain threat landscape.

• Gartner's Findings: "Software supply chain attacks have seen triple-digit increases, but few organizations have taken steps to evaluate the risks of these complex attacks."¹
  
  
• Ponemon Institute: "Fifty-nine percent (59%) of organizations in this research have been impacted by a software supply chain attack or exploit, and 54 percent of these respondents say the attacks happened in the past year."²
  
  
• Sonatype's State of the Software Supply Chain Report: "There has been an astonishing 742% average annual increase in software supply chain attacks over the past 3 years."³
  
  

These statistics underscore the urgent need for organizations to develop, at a minimum, comprehensive visibility into the software and software components and dependencies used within their organization. Quite simply, you cannot secure what you do not see. This comprehensive software visibility is the starting point for any robust software supply chain security strategy.

Read more in the NetRise Supply Chain Visibility and Risk Study, Edition 1: Networking Equipment; Q3 2024

Why Supply Chain Attacks Are Increasing

Several factors contribute to the increasing prevalence of software supply chain attacks:

• Better Informed Cyber Attackers:

Attackers are becoming more sophisticated and better informed about the software components and libraries that organizations use. This knowledge allows them to identify and exploit vulnerabilities more effectively. Combine this with the lack of visibility most enterprises have into their software stacks and we conclude that, by and large, the cyber-attackers are better informed than the enterprises they look to attack.

• Lack of Software Visibility:

Again, the majority of organizations lack detailed visibility into their software components and dependencies. They have no software asset inventories or software bills of materials. And without this detailed knowledge of the software stack, software vulnerabilities go undetected and unaddressed, providing attackers with relatively easy entry points.

• Single Attack Vector, Multiple Targets:

Supply chain attacks offer a high return on investment for attackers. By compromising a single software supplier, they can potentially gain access to multiple organizations that use the affected software, amplifying the impact of their attack and their investment in developing the attack.

• Increased Use of Third-Party and Open-Source Components:

The widespread use of third-party and open-source software components in modern applications increases the attack surface. These components often contain vulnerabilities that can be exploited if not properly managed.

• Network Accessibility of Vulnerabilities:

Many software vulnerabilities are easily accessible over the network, making it simpler for attackers to exploit them. The recent NetRise Supply Chain Visibility and Risk Study into 100 networking equipment devices found that there were in aggregate, 2,022 weaponized vulnerabilities and 667 vulnerabilities that were network accessible. That’s on average 7 vulnerabilities per device that are both weaponized and network accessible!

The Challenge with Software Supply Chain Attacks

Software supply chain attacks pose significant challenges for enterprises. Below we present just a few of the issues many deal with:

• Proactive Protection:

The most recent NetRise study found that the detailed Software Analysis approach to vulnerability reporting uncovers 243.4 times more vulnerabilities than the more traditional approach of network-based asset scanning finds from what is typically represented in the NVD. So, if enterprises are completely unaware of most of the software vulnerabilities, it is going to be impossible to proactively address the most important vulnerabilities through patch management or other compensating controls.

• Detection Difficulties:

Without an inside-out analysis of the compiled code, companies will simply be blind to most of their software vulnerabilities. That makes these software supply chain cyber-attacks difficult to detect until it’s far too late. This give attackers too much time to operate undetected.

• Response and Remediation:

Responding to and remediating software supply chain attacks is challenging because enterprises and often the software producers themselves have no consistent method for pinpointing where the exploited vulnerabilities exist. This lack of knowledge hampers effective response efforts and prolongs exposure.

Steps to Protect Against Supply Chain Attacks

To address these challenges, organizations must prioritize achieving comprehensive software visibility. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components within the supply chain. Here are some basic steps companies should consider:

Creating detailed software bills of materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively.

Traditional network-based vulnerability scanners often underreport vulnerability information. By augmenting these scans with detailed software risk analysis methods, companies can uncover a much more complete risk picture, ensuring a more thorough risk assessment. Automated tools can help generate and analyze SBOMs, providing continuous and up-to-date visibility.

Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are addressed first. Feeding this vulnerability information into existing security operations center (SOC) tools ensures it is widely available and actionable.

Supply chain security is not a one-time effort. Continuous monitoring of software components is essential to stay ahead of emerging threats. Companies should establish processes for ongoing vulnerability assessment and remediation, ensuring that their software inventory is always current, and risks are continuously managed.

By focusing on these steps, organizations can significantly enhance their supply chain security processes, mitigate risks more effectively, and protect their critical assets.

Conclusion

The urgency to address software supply chain security cannot be overstated. The increasing wave of software supply chain cyber-attacks highlights the critical need for organizations to adopt comprehensive and proactive security measures. By prioritizing software visibility, generating comprehensive SBOMs, implementing automated risk analysis, and maintaining continuous monitoring, organizations can build a strong foundation for their software supply chain cybersecurity efforts.

Now is the time for organizations to act. The threat landscape is growing rapidly, and the consequences of inaction can be severe. The journey towards comprehensive software visibility may seem daunting, but it is a critical step in securing the software supply chain and protecting against the evolving threat landscape.

Endnotes

1. Mitigate Enterprise Software Supply Chain Security Risks, 31 October 2023, Gartner.
2. The State of Software Supply Chain Security Risks, Prepared by Ponemon Institute, Sponsored by Synopsis, May 2024.
3. 8^th and 9^th Annual State of the Software Supply Chain, Sonatype.

Originally published September 23, 2024, updated September 23, 2024.