Software supply chain concern on the rise
Although reliance on 3rd party providers, from applications to IT infrastructure and services, was normal even before the pandemic, now the pace of adoption is increasing. These trends are fueling growing concern among security professionals, as shown in the recent survey conducted by Neustar International Security Council (NISC), where 76% of respondents said they now view software supply chain risk as a top security priority.
Compromising an application provider or a trusted supplier is very valuable from the attacker's point of view. Consider an application provider that sells an ERP application to thousands of customers. Injecting malware to a regular update of such ERP software provides a direct foothold into thousands of organizations. These so called supply chain attacks are increasingly explored by threat actors.
A well known example of a supply chain attack is Sunburst, perpetrated against software vendor SolarWinds back in 2020. In this case, a malicious software update was deployed to roughly 18000 organizations worldwide. Microsoft found at least 40 organizations being infiltrated thanks to this deployment.
Organizations used to worry about a vendor selling software having exploitable security bugs (Microsoft, remember?). Now the worry is whether a vendor's network was infiltrated and their code repositories were subverted to automatically push a malicious update to thousands of unsuspecting organizations. While previously security bugs were mostly inadvertent results of bad coding practices, it's now about malicious intent of a multitude of well funded and motivated threat actors.
From compromised trusted software vendors to malicious packages on otherwise legitimate code repositories, it’s worth remembering that any organization is only as secure as the least secure partner in its supply chain.
Read more on the NISC survey on Help Net Security.