How do you vet the security of third-party software from vendors, partners, and contractors? Follow software supply chain risk management best practices.
“Supply chain” is a good term for the collection of third parties—vendors, partners, contractors, etc.—an organization does business with, because a chain is a series of “links.” It’s a significant word in cyber security—as in, “you’re only as secure as your weakest link.”
And there is a critical need for regular reminders of that reality, not just during National Cybersecurity Awareness Month. There is a large and ominous pile of evidence that most supply chains have some very weak links. What is more ominous is that even though most organizations are well aware of the risks—given the ongoing headlines, how could they not be?—few of them are doing much about it.
Perhaps the most famous example of a weak link risk is megaretailer Target. Six years ago, attackers were able to steal 40 million debit and credit card numbers and 70 million other records that included addresses and phone numbers through an email phishing attack on one of the company’s service suppliers—a heating, ventilation, and air-conditioning (HVAC) contractor. That gave the attackers access to Target’s point-of-sale (PoS) payment card readers.
But famous does not mean rare. Supply chain attacks are rampant. Earlier this year, endpoint security firm Carbon Black issued a report on so-called island hopping—the term for what attackers do when they try to expand on a breach of a victim’s network.
According to the report, “attackers these days want to ‘own’ your entire system … Exactly half (50%) of today’s attacks leverage island hopping.”
Or as Tom Kellermann, Carbon Black’s chief cybersecurity officer, put it in the report. “They’re not just, say, invading your house—they’re setting up shop there, so they can invade your neighbors’ houses too.”
Ponemon’s 2018 Data Risk in the Third-Party Ecosystem found that 59% of more than 1,000 respondent companies in the U.S. and U.K. said they had been victims of a data breach caused by a third party or vendor during the previous year. Another 22% said they didn’t know if they had been or not.
The headlines are littered with other examples. Russian hackers were able to spread the infamous NotPetya malware in 2017 in part by compromising the update mechanism for a Ukrainian accounting application.
That technique has continued into this year. Motherboard reported in March that Kaspersky Lab researchers found that attackers had compromised the Live Update function of Taiwan-based ASUS, one of the world’s largest computer makers, to spread a malicious backdoor to about 500,000 computers. The researchers labeled it ShadowHammer, and it worked because “the malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update.”
There are plenty more examples, but you get the idea.
Why is the supply chain so popular among attackers? One obvious reason is that it is an ever-expanding attack surface. Businesses, especially in an online world, are interconnected like never before. Most of them use dozens to hundreds to even thousands of apps—many from external vendors.
Given all that, organizations ought to be taking the advice of NIST (National Institute of Standards and Technology) on Cyber Supply Chain Risk Management (C-SCRM): The agency calls for “identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.”
But as noted above, while organizations say they are aware of the risks, most admit that they aren’t making supply chain security a priority.
A May 30 report from research and advisory firm Gartner, Get Ahead of the Expanding Risk Frontier: Supply Chain Security, found that “supply chain leaders rank cyberattack risks at the top of their list of concerns, yet only 10% of them characterize the relationship between their function and IT as strategic.”
Which is both ironic and troubling, since plenty of help is available for anyone who cares to use it.
It was more than three years ago that Mike Ahmadi, then director of critical system security at Synopsys (now vice president of transportation security at DigiCert), and George Wrenn, then CSO and vice president cyber security for Schneider Electric (now founder and CEO of CyberSaint Security), offered extensive advice on how to develop effective procurement language, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability and—most of all—security of the software they are providing.
That ought to be fundamental since, as we all know, when people sign something, they tend to take it more seriously.
Second, it is well known by now—the annual Open Source Security and Risk Analysis (OSSRA) report by Synopsys has been documenting it for years—that software today is assembled with up to 90% of the final code coming from a combination of open source and third parties.
An organization that doesn’t know, and test, what’s inside that code is asking for supply chain problems. And as Ahmadi pointed out back in 2016, doing that doesn’t have to mean laborious, time-consuming manual reviews. Instead, automated tools will help you do it more accurately and much faster.
“You could manually comb through and create test cases that could fuzz something at a protocol level,” he said. ”Or you could connect them to our automated testing tools, push the button, and wait.”
There is also the BSIMM (Building Security In Maturity Model) report, which helps organizations grow and improve their software security initiatives (SSI) by showing what other organizations in their industry are doing and what works. The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM, notes in a white paper that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.”
Put a bit more simply, it is designed to help organizations avoid software vendors that are “clueless.”
That report, based on discussions within the BSIMM community between software vendors and acquirers, suggests the following list for vetting software suppliers. Those vendors should be able to produce evidence of the following:
Beyond that, the Gartner report offers a playbook for organizations seeking to conduct effective oversight of the security of their third-party vendors.
Among the recommendations from analysts Katell Thielemann, Mark Atwood, and Kamala Raman:
Finally, Emile Monette, director of value chain security at Synopsys, points to a compilation of supply chain software security practices he assembled from various sources, including NIST SP 800-161, ISO 20243, SAFECode third-party risk practices, the EastWest Institute ICT Buyers Guide, Department of Homeland Security implementation of C-SCRM in its programs, and others.
That is a long list, and even doing it all won’t make you perfect. But it will get you a lot closer. Which is usually enough to get attackers to look for easier targets.
And the primary question shouldn’t be, “Can we afford to do it?” Given the risks of data theft, legal liability, brand damage, and more from a porous supply chain, the question should be, “Can we afford not to do it?”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.