What Is Supply Chain Security?

Supply chain security is the process of detecting and remediating security risks that arise within a business’s software supply chain.

Modern businesses routinely depend on third-party applications and digital services to help power their operations. These external resources, which are known as the software supply chain, help companies obtain the tools and applications that they need for workers to be productive. Third-party software also reduces the amount of effort that a company’s own developers need to spend building software from scratch, because they can borrow externally developed solutions instead.

Unfortunately, software supply chains may also place your business at risk. When third-party applications contain security flaws – or when third-party resources are integrated into your business’s IT environment in an insecure way – they can introduce vulnerabilities, expose sensitive data, and create backdoors that threat actors can use to gain entry into mission-critical systems.

For all of these reasons, guaranteeing the security of the software supply chain must be a priority for any business that uses third-party applications or services. This article explains what supply chain security means and why it’s important, and provides best practices for preventing supply chain attacks.

What Is Supply Chain Security?

Again, the software supply chain is the collection of third-party applications and services that a company uses. For instance, all of the following are common examples of third-party software resources that a business might deploy:

• An identity and authentication platform or service that a business uses to manage identities and access for other applications or services in their IT estate.
• A SaaS accounting application that a company’s accountants use to manage financial data.
• Open source code hosted on a third-party site that a company’s developers import into their own applications in order to add functionality that they don’t have time to build themselves from scratch.

If security issues exist within any of these third-party software resources, they can affect the organization that uses the software. For instance, if a Customer Relationship Management (CRM) platform is subject to a security vulnerability that allows attackers to plant malware in the CRM system, the malware could potentially spread to the networks of businesses that use the CRM software. Or, in the case of the SaaS accounting platform, the lack of data encryption for sensitive financial information stored in the platform could expose the data of organizations that use the software. For the open source code, vulnerabilities that exist in the code will also exist in any applications built partly on the basis of that code.

Supply Chain Risks Aren’t Limited to On-Prem Software

Importantly, you don’t have to install and run insecure third-party software yourself in order to be subject to supply chain security risks. Even if you’re using hosted, fully managed apps that are delivered via a SaaS or PaaS architecture, they could introduce security risks into your environment if they have access to your company’s own applications and data.

Supply Chain Risks Extend Beyond Vulnerabilities

It’s important to note, too, that supply chain security risks aren’t limited to vulnerabilities within third-party applications themselves. Vulnerabilities – meaning a security flaw that allows attackers to exploit an application in some way – are one type of software supply chain security risk, but they’re not the only one.

Insecure integrations between third-party apps and your company’s own IT resources can also create risks. For example, imagine that you want to connect a third-party CRM platform to your company’s customer database. You might use a plugin to grant the CRM platform access to customer data. But if – due to oversight or lack of awareness – you configure the plugin such that it has access to all of your company’s databases, not just those that contain customer data, you’ve created an instance of excess permissions and unnecessary risk.

Further, plugins, connectors, and extensions can contain innate security vulnerabilities, even if the third-party apps that they connect to do not. This is another way in which integrations can introduce supply chain security risks into your IT estate.

The Importance of Software Supply Chain Security

Protecting against software supply chain risks is important because, in most cases, companies have very little ability to ensure that third-party software is developed according to strong security standards. They can’t oversee the development practices of third-party coders. In most cases, they don’t even have access to third-party source code; all they get are binaries.

As a result, many of the methodologies that are effective for securing internally developed software can’t be applied to software supply chains. You can’t scan most third-party applications for vulnerabilities, for instance, because you don’t have access to their source code. Nor can you audit access control configurations within the CI/CD pipelines of third-party developers to ensure that they adhere to best practices.

Instead, the best you can do is be aware of which third-party applications and integrations you are using and monitor them for potential security issues. If you have a comprehensive inventory of third-party software assets, you can determine whether they are subject to any known security vulnerabilities or advisories. You can also validate the configurations of plugins and connectors to ensure that they adhere to best practices like following the principle of least privilege.

In addition, in certain cases, a business’s own customers may require the business to demonstrate that it adheres to supply chain security best practices. For example, companies that supply software to U.S. federal agencies may be required to provide a Software Bill of Materials, or SBOM, which lists the third-party software resources that the company depends on. If you want to do business with the federal government, then, you are likely to need an inventory of your supply chain so that you can produce an SBOM upon request.

The fact that supply chain attacks are an increasingly popular way for threat actors to harm businesses makes supply chain security all the more important. From the perspective of attackers, supply chain breaches are great because compromising a single tool or platform could provide access to the IT estates of the thousands of businesses that use the tool or platform. That’s a lot more lucrative for a threat actor than breaching just a single company by attacking one of its internally developed apps.

Partly for this reason – and partly because businesses collectively deploy well over a hundred thousand third-party apps every year, creating more potential supply chain risks for attackers to exploit – there has been a surge in supply chain attacks in recent years, with no sign that they will slow down soon.

Types of Supply Chain Risks and Attacks

When planning a software supply chain security strategy, IT and security teams should prepare for the following specific types of risks and attacks.

• Vulnerabilities: Flaws within the source code of third-party applications, such as lack of data validation or buffer overflow attacks, can create vulnerabilities that attackers may exploit to gain unauthorized access to a company’s resources or even take control of its applications or servers.
• Insecure data management: Third-party software that fails to manage data securely can place the sensitive information of your business at risk. For instance, a platform that doesn’t encrypt the data you upload into it makes it easy for unauthorized parties to view your private data.
• Misconfigured access controls: Weak access controls within third-party software that connects to your business’s own apps or data can give attackers a backdoor into your IT estate. For instance, a platform that is configured to grant admin-level permissions to all users could lead to abuse of your systems.
• Data governance and security issues: In some cases, third-party software may store or manage data in ways that violate compliance or governance rules that apply to your company. For example, you may be required by a government-mandated compliance policy to store data in a certain region. Third-party software that stores your data elsewhere could expose you to compliance violations.

Examples of Supply Chain Attacks

To add further context to supply chain security, let’s look at a couple of examples of real-world supply chain attacks.

The SolarWinds Breach

Probably the most infamous software supply chain attack to date was the breach of the SolarWinds platform. The attack, which went undetected for months before being discovered in late 2020, resulted from the injection of malware into the source code of a monitoring tool developed by SolarWinds. The malware gave attackers a backdoor into the IT systems of businesses that used the software. Tens of thousands of companies were exposed in this way.

Codecov attack

In 2021, Codecov reported that attackers had modified a component of the Codecov platform, which developers use to help test software. The modifications gave attackers access to data stored within Codecov users’ CI/CD environments, placing sensitive development information at risk. Like the SolarWinds breach, the Codecov attack remained undetected for months, meaning that attackers had unfettered access to their victims’ IT environments during that period.

Supply Chain Security Best Practices

Attacks like these show that even well-managed platforms developed by large, highly responsible software companies can be breached in order to execute supply chain attacks. And there is very little that customers of these platforms can do to prevent the root cause of the attacks.

Fortunately, there are best practices that businesses can follow to minimize their risk of falling victim to supply chain attacks:

• Establish visibility: First, you need to achieve visibility into your supply chain by determining which third-party software and services your company uses, as well as which resources they can access within your IT estate.
• Identify risks: Once you know which third-party resources you’re using, you can determine whether they are subject to publicly disclosed security risks.
• Validate suppliers: In addition to checking public databases for known security risks, supply chain security strategies often involve assessments of software vendors. For example, a company might require that its vendors adhere to certain compliance frameworks to mitigate the risk of introducing vulnerabilities into the supply chain.
• Use reliable suppliers: While supply chain attacks can – and do – affect even the most famous software companies, your risk of using insecure third-party software is generally lower when you adopt software only from trustworthy sources. It’s a best practice to steer clear of unsupported apps that you find in random marketplaces or container registries, and instead to deploy software from large, known vendors or open source projects.
• Enforce best practices: Configuring third-party applications and services in a way that conforms with security best practices won’t eliminate third-party security risks, but it will minimize the chances that they can be exploited inside your IT estate. For that reason, businesses should enforce policies like zero trust, least privilege, and microsegmentation over the third-party apps and resources they use.

Conclusion

In many respects, the software supply chain can be the weakest link in a business’s overall security strategy. Fortunately, with the right strategies and tools, it’s possible to stay ahead of supply chain threats and minimize the risk that they’ll affect your business in the event they do occur.