THANK YOU FOR SUBSCRIBING
Supply chain attacks have been a concern for cybersecurity experts for many years, since the chain reaction triggered by one attack on a single supplier can compromise numerous companies. According to ENISA, The European Union Agency for Cybersecurity, mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code and the software supply chain, exploiting the trust of customers in their suppliers to distribute their attacks or malware.
What is a software supply chain attack?
A software supply chain attack is a cyber-attack that seeks to damage an organization and its customers by targeting vulnerable elements in its software supply chain, usually through a vulnerability,misconfiguration, or targeted attack against one of the suppliers’ products or services.
Understanding the software supply chain market dynamics
To better understand the state of this market, we talked with Eran Orzel, Argon Security‘s Chief Revenue and Customer officer about software supply chain security and what software developing companies need to do to defend against such cyberattacks.
How would you describe the current market situation?
“The recent wave of software supply chain attacks is expected to continue in full force. According to ENISA, supply chain attacks are expected to multiply by 4 in 2021 compared to last year. Such strong trend stresses the need for the cybersecurity community to act now”
“Attackers have identified the software supply chain as a weak link in enterprises defense and will continue to focus on it to launch their attacks. This attack vector is a force multiplier in spreading their malware enabling them to compromise thousands of customers at once as the SolarWinds and Codecov attacks showed us. We already saw tens of millions of dollars in damages due to supply chain attacks in 2021 alone.
As companies rapidly adopt modern software development practices using continuous integration and delivery (CI/CD) processes to automate their software supply chain process, they are exposing their environments to supply chain risks, and without proper security they become easy targets waiting for the attackers to hit them.”
What do you think are the main reasons behind this trend?
“The CI/CD pipelines uses for modern software development consist of dozens of solutions, SaaS services, applications and open-source tools. Add to it that the pipeline tools are not secured by design and are built to be automated, fast, and open and you get an environment which is complex, dynamic and difficult to secure with standard security tools.
In addition to that, the pipeline process is built by the local development teams, including writing all configuration files and scripts, which add another risk vector of potential human errors and misconfigurations, making these environments a holy grail for the attackers. “
The software supply chain pipeline
What are the immediate actions we need to do to mitigate these risks?
“The first challenge is to raise awareness and allocate more resources to supply chain security.” Said Orzel, “Software supply chain attacks cause widespread damage affecting thousands of companies. To deal with such attacks effectively, we need to prevent such attacks before the malicious code is distributed. As we see companies move to the cloud and relying more on DevOps processes to automate their software delivery, their risk from software supply chain attacks will increase. We need to make sure software supply chain security is top of mind for all CISOs and their security leaders.”
“Software companies need to adopt new protective measures to prevent and respond to potential supply chain attacks, preventing impact on their business before it happens. Identifying and investigating such attacks on the customer side will be too late.”
Why are current cybersecurity solutions not good enough?
“Strong traditional security protections are no longer enough for organizations as the attackers have already shifted their attacks to your suppliers, and are taking advantage of the trust in your supplier to carry their attack through its software updates.”, said Eran, “To prevent software supply chain attacks, the suppliers need to ensure that the infrastructure used to design, develop, build, and deliver their software and applications is protected according to supply chain security best practices”
What is the answer for preventing supply chain attacks?
“It takes a purpose-built security solution that is integrated as part of the software supply chain CI/CD process to achieve effective supply chain security.” Said Orzel, “Argon’s unique solution provides holistic multi-layer security for the software supply chain, enabling companies to prevent supply chain attacks such as what happened with SolarWinds and Codecov, and to mitigate supply chain risks from misconfigurations, vulnerabilities, and dependencies. Such consolidated multi-layer coverage was not available in the market until today under one solution.”
“Without enforcing such dedicated security measures on their supply chain, software vendors are risking the trust customers have in their software releases.”
How is Argon solving that problem?
“Argon’s software supply chain security framework provides organizations with practical strategy to identify and mitigate potential and common attack vectors that can be used in software supply chain attacks. Adopting such strategy is the first step in building a secure DevOps process”
“Argon’s solution covers all stages of the software supply chain process from code commit to production, protecting the software supply chain infrastructure, process, users, and code from supply chain risks. In addition, Argon’s patent-pending Integrity module prevents source-code tampering or manipulation during the software development and release process, providing organizations with the highest protection against supply chain attacks.”
Case study: Helping customers mitigate supply chain risks
Using Argon’s solution proved to be very important to one of our customers during the Codecov attack. Argon’s solution monitors and analyze your pipeline process and enforces security policies on the pipeline dependencies. In this case the Argon system notified the customer that the Codecov service that was connected to their CI Pipeline was compromised and was sending out system variables and passwords on every run to the attacker server. Thanks to Argon the customer was able to eliminate this active risk immediately. Argon also helps customers run integrity validation on your dependencies as part of the process, preventing them from running compromised processes.
What should be the next step?
Applying strong security over the software supply chain is a must to stop these sophisticated software supply chain attacks. This is highlighted by the increasing impact of attacks such as SolarWinds, Codecov, and Kaseya, that caused massive damages including downtime of systems, monetary loss and reputational damage.”
We invite information security officers and AppSec teams to start discussing with us how we can work together to prevent supply chain risks.