How to minimize software supply chain threats

Most organizations today recognize the need for cybersecurity, but many of these efforts focus on internal matters. The rest of the software supply chain goes overlooked, leaving gaping vulnerabilities.

What is the software supply chain?

The software supply chain refers to all the code, processes and parties involved in software development from start to finish. Think of a traditional supply chain, which involves a series of raw material suppliers, manufacturers, logistics companies and sellers to bring a product to market. Software supply chains are simply the equivalent for digital products.

Modern programs are rarely the product of a single company. Open-source code accounts for 70%-90% of any software solution today — and that doesn’t even include licensed code from other developers.

The software supply chain may involve a huge range of parties and connections, including:

• Source code developers
• Third-party software dependencies
• Internal development teams
• Distribution channels
• Hosting services
• Security providers
• Developers of any integrated apps

Software supply chain threats

Since the software supply chain involves so many parties and steps, vulnerabilities have many opportunities to arise. Consequently, supply chain threats come in many forms. The most straightforward of these is a compromised third party. If a cybercriminal breaks into the code of a software vendor or other party with access, they can affect everyone using that software. This is what happened in the infamous SolarWinds attack in 2020.

Misconfigurations are another common threat. These happen when a team doesn’t implement a third-party application correctly, leaving it vulnerable. Misconfiguration on one party’s side could affect multiple parties further down the supply chain using their services.

Hard-coded secrets — sensitive information like passwords or encryption keys in a program’s source code — are similar. These errors are often simple mistakes from the original developers, but they leave the source code vulnerable. As a result, anything using that code could be susceptible to the same threat. Security researchers found 10 million of these errors in open-source code in 2022 alone.

How to improve software supply chain security

Given these risks, cybersecurity must go beyond a company’s internal processes. To stay truly safe, you must also secure yourself against your supply chain’s weaknesses. Here are five steps to take toward that goal.

Vet third parties and their contributions

One of the most basic yet important steps is to hold other parties to a higher standard. Third-party cyberattacks have risen by 742% since the onset of Covid-19, so it’s not worth taking any chances. Always review any third-party software or open-source code before using it.

If you’re using no-code apps or services, inspect the company offering these resources. Be wary of any providers who’ve experienced repeated security incidents. Prefer to work with those who’ve achieved high-level cybersecurity certifications. If you’re working with code, review it for any vulnerabilities. Look at input and reviews from others who’ve used the same resources to see if anyone’s found any issues.

Minimize access privileges

Next, you should restrict every party’s access privileges as much as possible. Every company, user, device, and application should only be able to access the files and code they need to work properly. This highly restricted practice — known as the principle of least privilege — ensures a vulnerability at one point in the supply chain can’t affect the whole thing.

These restrictions should apply to third parties, direct partners and even company insiders. Over half of all organisations have experienced an insider threat in the last year, so never assume trusted employees are safe.

Embrace DevSecOps

Rethinking your approach to software development can also help. Embracing a DevSecOps development cycle instead of more conventional, linear alternatives is the safest way forward. DevSecOps builds on the practice of DevOps, which emphasises collaboration and efficiency by having development and operations teams work together in short bursts, followed by review and adjustment.

Unlike traditional DevOps, DevSecOps adds security experts into that collaboration. Getting input from cybersecurity teams and reviewing an app’s security at every stage of development helps catch supply chain threats early.

Regularly look for and patch vulnerabilities

Similarly, it’s important to recognize that cybersecurity is an ongoing endeavor. You likely won’t catch all supply chain vulnerabilities initially, and new ones may emerge as cybercriminals adapt. Consequently, you must stay on top of developing security trends. The key is frequently assessing your software and its dependencies for any vulnerabilities. Penetration testing and open-source developer forums are useful resources in this process. As soon as anyone discovers an issue, patch it, and keep track of what you’ve had to adjust.

Create an incident response plan

Finally, devs must realize that since software supply chains are so complex, it’s impossible to prevent all cyber threats. Google detected 41 zero-day exploits — attacks using previously undiscovered vulnerabilities — in 2022 alone. Incidents like this are too common not to have a response plan.

Develop a formal strategy for what to do when your software falls victim to a supply chain attack. This plan should include steps to contain the issue, communication protocols, backup practices and a list of responsibilities. Be sure to rehearse this plan often and adjust it over time as new best practices emerge.

The software supply chain needs protection

Software security must go beyond the final product itself. Nothing happens in isolation, so developers must consider the security of their supply chain partners as well. When you realize that your third parties’ weaknesses are effectively your weaknesses, the need for better supply chain security becomes clear. That awareness is the first step to more comprehensive cybersecurity.