Software Supply Chain Attacks: A Clear and Present Danger

Eran Orzel
Jan 31 · 2 min read

One year after SolarWinds Sunburst attack and still, most companies are exposed to software supply chain attacks

 

In a study conducted by Argon Security at Aqua Security, it was found that the majority of companies didn’t implement software supply chain security measures and that most organizations are still exposed to software supply chain attacks.  Download the report here

 

“Unfortunately, most security teams lack the resources, budget and knowledge to deal with supply chain attacks,” said Eran Orzel, head of Argon’s sales and customers.  “Implementing strong security over the software supply chain takes time and organizations need to priorities this now to be able to secure their process and application against the next attack wave.”

In the modern world, one of the “hot” targets for cyber attackers is the software development supply chains. When attackers launch a supply chain attack, they are in throwing a wide net affecting thousands of companies in a single attack. These attacks also have a strong economic impact and on the customer-vendor relationships of those companies that depend on their cloud security vendors and are trusting the software updates of their software vendors.

 

12 Months’ Timeline: Software Supply Chain Security

 

The Argon study identified three primary areas of risk affecting the software supply chain security posture. Closing these security gaps should top priority.

  1. Vulnerable Packages Usage: There are two attacks vectors that leverage open source packages. The first one is exploiting existing vulnerabilities discovered in OS packages and leveraging them to execute the attack. (Example: the recent Log4j cyberattacks). The second vector (Package poisoning) is more proactive, where the attacker takes control of a popular package/public repository and injects malicious code in the open-source packages letting the developers or pipeline tools to add it as part of the application build process. (Example: the us-parser-js package poisoning)
  2. Compromised Pipeline Tools: Attackers can take advantage of privileged access, misconfigurations, and vulnerabilities in the CI/CD pipeline infrastructure and get access to the development processes and launch their attacks. A compromised tool can expose an application’s source code, enable attackers to manipulate the code during the build process and add vulnerabilities to the application (e.g., SolarWinds).
  3. Code/Artifact Integrity: Upload of bad code to source code repositories, directly impacts the artifact quality and security posture. Common issues that were found in most customer environments were sensitive data in code (secrets), code quality and security issues, infrastructure as code issues, container image vulnerabilities and misconfigurations.

Attackers operating in this space are increasingly exploiting weaknesses in the process of developing and deploying the software and trying to sabotage it, from code theft to code and process manipulations. Looking at the sharp increase of the number of attacks and the damage they inflicted, current efforts and standard security products cannot block such attacks. Organizations must take a proactive and more modern approach to protecting the integrity of their software supply chain process and the security posture of their applications.

Protecting the Software Supply Chain is possible!

Security and DevOps teams need to collaborate in building their software supply chain security strategy and implement automated security within the development process. by adopting new asecurity paradigm and solutions that are designed to secure the software development process against this new wave of sophisticated attacks organizations can close these security gaps and prevent supply chain attacks. Contact Argon’s experts to start your journey.

Eran Orzel
Jan 31 · 2 min read

Related Articles

6 Steps to Comprehensive DevOps Security

DevOps has evolved into a standard practice of software development. According to…

Eylam Milner
Apr 18 · 9 min read

What is Broken Authentication and How Can You Prevent it

Logging in to websites to access your accounts isn’t as secure as…

Eilon Elhadad
Apr 11 · 10 min read

Best practices for Improving Software Integrity

Today’s businesses and enterprises are heavily dependent on software and applications for…

Eilon Elhadad
Mar 31 · 5 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner
Our next, exciting chapter. Argon is now an Aqua company
Our next, exciting chapter. Argon is now an Aqua company