Table of contents

Definition

To understand software supply chain security, it is necessary to first define the software supply chain itself. The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development life cycle (SDLC). Software supply chain security is the act of securing the components, activities, and practices involved in the creation and deployment of software. That includes third-party and proprietary code, deployment methods and infrastructure, interfaces and protocols, and developer practices and development tools. Organizations are responsible for performing these security activities, and for providing proof of their security efforts to consumers.

Why are software supply chain attacks trending?

In response to software development organizations taking more steps to secure their applications, attackers have had to get more creative in their own methods. The sharp and continuous rise of code reuse and cloud-native approaches have provided them with additional angles to mount attacks several degrees of separation away from their intended targets. Exploiting just one weakness opens the door for a threat actor traverse down the supply chain where they can steal sensitive data, plant malware, and take control of systems – something we’ve seen plenty of examples of in recent times.

In light of the uptick in security breaches, President Biden issued an executive order directing the heads of several federal organizations to create additional security guidelines surrounding the software they consume and operate. Aimed at bolstering the U.S.’s cybersecurity profile, this order has prompted a nationwide re-examination of organizational security practices that stretches well beyond those specified at the federal level. 


What is an example of a software supply chain attack?

Solar Winds, a major U.S. IT firm, fell victim to a supply chain recently. Weak information security practices by a former intern exposed a critical internal password (solarwinds123). Once the password was compromised, suspected Russian hackers were able to access a system that SolarWinds used to assemble updates to Orion, one of its flagship products. From here, the attackers inserted malicious code into an otherwise legitimate software update, allowing them to monitor and identify running processes that were involved in the compilation of Orion, and replace source files to include SUNBURST malware. Orion updates were deployed to an estimated 18,000 customers, and SUNBURST sent information back to the attackers that was used to identify targets of additional malware, broadened access, and spying. The fact that the intended targets and victims of the attack were several degrees of separation away from the entry point, makes this a popular example of a modern software supply chain attack. 


Six Considerations for Securing Your Supply Chain

Learn how to identify the weak points in your software supply chain, and what tools and practices are necessary to address them.

Download the solution guide

How can you reduce supply chain security risks?

There are key supply chain security practices and approaches you can take to lessen your supply chain security risk.

  • Assess the security and trustworthiness of the code that you consume
  • Ensure developers are keeping writing secure proprietary code
  • Securely build and deploy code
  • Harden data transfer methods used by applications
  • Continuously test and monitor deployed applications for threats
  • Provide consumers with an SBOM

How can Synopsys help?

Synopsys Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers. With powerful insight into the open source dependencies your applications are built on, Black Duck provides you with a software Bill of Materials (SBOM) that details exactly what is in your code, its origin, and any associated security or license risks. Most importantly, an SCA tool can provide this information on a continuous basis, making sure you have the most up-to-date picture of open source risk when minutes make a difference.       

Coverity® is a fast, accurate, and highly scalable static application security testing (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards. Coverity enables you to seamlessly secure your proprietary code and guarantee infrastructure-as-code security so that your proprietary code isn’t the weak link in the software supply chain.

Synopsys Web Scanner delivers fast and easy dynamic application security testing (DAST), optimized for developer needs. Synopsys Web Scanner systematically tests all the access points of your web applications through a headless browser to intercept and analyze JavaScript and AJAX requests, even as newly created forms are populated. It checks for the OWASP Top 10 web application security risks as well as other known security weaknesses and vulnerabilities, providing step-by-step instructions on how to eliminate any detected issues. Monitoring application behavior is a critically important way to ensure you are protecting yourself from potential supply chain threats. 


Software Supply Chain Security Infographic | Synopsys

Continue reading

Solution
Software Composition Analysis
Blog
Reduce open source software risks in your supply chain
Solution
DAST Web Scanner
Blog
How an open source software audit works
Blog
Effective software security activities for managing supply chain risks
Blog
Software supply chain security best practices