Software Supply Chain Security: Top 5 Risks & Defensive Measures

What Is Software Supply Chain Security?

Software supply chain security refers to the practices and technologies employed to protect the entire lifecycle of software development, from initial design through to deployment and maintenance. It involves securing all the components, including third-party libraries, tools, and the infrastructure used. The goal is to prevent attackers from infiltrating and compromising the software, ensuring the integrity and reliability of software products.

The complexity of modern software development, with dependencies on various open-source and third-party components, has increased the importance of supply chain security. By ensuring that every element in the development pipeline is secure, organizations can mitigate the risk of potential vulnerabilities being exploited by malicious actors. This involves continuous monitoring, stringent access controls, and secure coding practices.

This is part of a series of articles about application security.

Top 5 Risks Facing the Software Supply Chain

1. Malicious Code Injection

Malicious code injection occurs when an attacker inserts code into the software during any phase of its lifecycle. This can be through compromised dependencies, tools, or even direct infiltration of development environments. Once the code is inserted, it can execute unwanted actions that potentially compromise the security of the entire system.

Preventing code injection involves rigorous reviews and robust security practices such as automated vulnerability scanning and version-controlled repositories. Developers must be cautious about the sources of their third-party dependencies and ensure that only trusted code is incorporated into the final product.

2. Insecure Open Source Components

Open-source components are widely used in software development due to their flexibility and cost efficiency. However, the use of insecure open-source components poses significant risks as vulnerabilities in these components can lead to larger system breaches. Attackers often exploit outdated or poorly maintained open-source libraries to gain unauthorized access.

To mitigate risks, regular audits of open-source components using tools like software composition analysis (SCA) are essential. Developers should maintain an updated inventory of all open-source libraries in use and apply patches or updates promptly. Utilizing tools for automated dependency checks can also help in identifying and addressing vulnerabilities in a timely manner.

3. Hard-Coded Secrets in Repositories

Hard-coded secrets, such as API keys and passwords, embedded in code repositories can be an easy target. If these secrets are exposed, they can provide unauthorized access to sensitive systems and data.

Developers should avoid hard-coding secrets and instead use environment variables or preferably, secure secret management tools. Implementing automated systems to scan for and remove exposed secrets in code repositories can also help enhance the security posture.

4. Vulnerable or Malicious Third-Party Libraries

Third-party libraries are integral to modern software development but can be a source of vulnerabilities if not properly vetted. These dependencies might contain flaws, or worse, be deliberately designed to infiltrate systems once incorporated into the software.

To address this risk, it's crucial to evaluate and continuously monitor third-party libraries for known vulnerabilities. Utilizing tools that provide alerts for vulnerabilities in dependencies, conducting regular security reviews, and enforcing strict policies for third-party code can help prevent potential security breaches.

5. Compromised Development Environments

A compromised development environment can serve as a backdoor to introduce malicious code or access sensitive data. This could happen through unsecured networks, lack of proper access controls, or unpatched software used in development.

Securing the development environment involves implementing strong access controls, regular updating and patching of software, and using isolated environments for different stages of development. Employing secure coding practices and regular security training for developers can also help mitigate these risks.

Related content: Read our guide to web application security.

Examples of Software Supply Chain Attacks

Polyfill.js Supply Chain Attack

In early 2024, the Polyfill.io service experienced a supply chain attack that had significant implications for its users. Polyfill.io is a widely used service that provides JavaScript polyfills for web applications, enabling them to work across different browsers by emulating modern JavaScript features in older environments.

The attack involved an unauthorized modification of the service, resulting in the distribution of compromised JavaScript files to numerous websites. The attackers exploited a vulnerability in the build process of Polyfill.io, allowing them to inject code into the polyfills delivered to end-users. This code was capable of collecting sensitive information, such as cookies and user data, which could then be transmitted to the attackers' servers.

MoveIT Transfer Vulnerability

In June 2023, a critical vulnerability was discovered in the MoveIT Transfer software, widely used for secure file transfers within organizations. This vulnerability, designated CVE-2023-34362, allowed attackers to perform unauthenticated SQL injection, leading to unauthorized access to the application's database.

Once exploited, it enabled remote code execution (RCE): attackers could exfiltrate sensitive data, manipulate records, and potentially gain further access to the network. The MoveIT Transfer vulnerability posed significant risks, especially for operational technology (OT) infrastructure, where secure and reliable data transfers are crucial. Attackers could disrupt critical operations, steal proprietary information, and cause financial and reputational damage.

Codecov Bash Uploader Attack

In April 2021, it was discovered that attackers had compromised the Bash Uploader script of Codecov, a tool widely used by developers to upload code coverage reports to Codecov’s servers. The attackers modified the script to exfiltrate sensitive information, such as environment variables, credentials, and API tokens, from users' continuous integration (CI) environments. This breach persisted undetected for over two months, affecting thousands of organizations that used the compromised script.

The Codecov incident demonstrated the significant risks posed by third-party tools and the potential for attackers to leverage them to gain access to sensitive information. The breach emphasized the need for developers to verify the integrity of third-party scripts, employ strict access controls, and monitor for unauthorized changes. Additionally, organizations were reminded of the importance of safeguarding sensitive information in CI environments and implementing robust incident detection and response mechanisms.

Log4Shell

The Log4Shell vulnerability, publicly disclosed in December 2021, affected the Apache Log4j 2 library, a ubiquitous open-source logging framework used by countless applications and services. The vulnerability, identified as CVE-2021-44228, allowed attackers to perform remote code execution (RCE) by exploiting how Log4j processes log messages. By simply sending a specially crafted log message, an attacker could take control of a system, execute arbitrary code, and potentially spread malware or exfiltrate data.

The severity of Log4Shell was compounded by Log4j's extensive use across industries, from cloud services to enterprise software. The vulnerability's ease of exploitation and the potential for severe consequences prompted a massive, rapid response from organizations worldwide to identify, patch, and mitigate affected systems. The Log4Shell incident highlighted the importance of proactive vulnerability management, timely patching practices, and comprehensive inventory tracking of software components.

Kaseya VSA Attack

In July 2021, the IT management company Kaseya faced a devastating ransomware attack targeting its Virtual System Administrator (VSA) software. The attackers, associated with the REvil ransomware group, exploited a zero-day vulnerability in the VSA product to distribute ransomware to Kaseya's customers and their clients, many of whom were managed service providers (MSPs). This cascading effect resulted in ransomware being deployed across numerous organizations, causing widespread disruption.

The Kaseya VSA attack underscored the potential for significant impact when a widely used service provider's software is compromised. The attackers demanded a $70 million ransom, one of the largest ever. The incident emphasized the need for robust security measures, such as regular vulnerability assessments, rapid patching protocols, and comprehensive backup and recovery strategies to mitigate the damage from ransomware attacks.

Solarwinds Attack

In December 2020, the cybersecurity world was rocked by the revelation of the SolarWinds attack, a sophisticated supply chain breach that had widespread implications. The attackers, believed to be a state-sponsored group, infiltrated SolarWinds' software development environment and inserted malicious code into the Orion IT management software. This malware, known as SUNBURST, was distributed via legitimate software updates to approximately 18,000 customers, including several U.S. federal agencies and numerous private sector companies.

Once the infected updates were installed, the malware created a backdoor that allowed the attackers to conduct reconnaissance, escalate privileges, and exfiltrate data. The breadth of the attack was unprecedented, enabling unauthorized access to sensitive information and systems over several months. The SolarWinds incident underscored the criticality of vulnerabilities in supply chain security and prompted widespread calls for improved practices in software integrity verification, monitoring, and incident response.