Understanding and mitigating software supply chain risks and vulnerabilities has never been more crucial. Cassie Crossley, an expert in software supply chain security, shares invaluable insights from her extensive research and experience. This comprehensive guide explores the rising frequency and sophistication of supply chain attacks, highlighting key incidents and practical steps for ensuring robust security. Discover how vigilance, secure development practices, and effective governance can protect your organization from devastating supply chain breaches.
💡
This article is based on the conversation with Cassie on the Elephant in AppSec – the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
In this episode, we asked Cassie whether it’s realistic to have a secure software supply chain, why you need to be very careful about what gets committed into code because of backdoors, how her people-person skills made her switch from development to security, and how it feels to be a celebrity!
Dive right in!
Cassie is the Vice President of Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric.
Starting from a development background, she moved through different roles like technical support, technical documentation, and software development project management. She led compliance, policy, and governance and gradually transitioned into her high-level Product Security role.
Cassie is also the author of the Software Supply Chain security book that has received praise from multiple industry thought leaders.
Cassie’s goal is to make a difference in the cyber community. That’s why she is also a frequent speaker on various supply chain security topics and a workshop trainer.
Watch the full interview below:
Cassie's area of expertise is software supply chain security. He wrote an in-depth book on this topic and was willing to share her insights with us!
Supply chain attacks are becoming increasingly common, yet many remain undetected. The implications of these attacks can be severe, affecting not just individual companies but entire industries and critical infrastructure. These attacks target the interconnected network of suppliers, vendors, and service providers that organizations rely on, making them particularly insidious and challenging to detect.
Cassie emphasizes the growing frequency and sophistication of supply chain attacks. She notes that while many of these attacks are happening daily, they often go undetected for extended periods. This latency in detection can lead to widespread and severe consequences.
"There's a lot that's going on in the world and those supply chain attacks are happening more and more every day and we just haven't seen them yet. We haven't found them yet."
"Most people have realized that it became an issue when SolarWinds happened when Microsoft and Governments got compromised."
The SolarWinds attack serves as a stark reminder of the potential scale and impact of supply chain attacks. This incident involved the compromise of a widely-used IT management software, leading to breaches in numerous organizations, including government agencies and major corporations. Cassie highlights this event as a turning point in the awareness and urgency surrounding supply chain security.
Another significant example is the Colonial Pipeline ransomware attack, which disrupted fuel supply across the Eastern United States. Cassie points out that this incident, although not directly a software supply chain attack, underscores the broader implications of supply chain vulnerabilities.
"When you have Colonial Pipeline, who is a supplier and they're not a technology firm and they go down and disrupt an entire, you know, half of a country because of ransomware, you realize supply chain attacks, whether they're cyber related or not, are still going to make a bigger difference."
In software development, the use of open source software (OSS) is quite widespread. However, a diligent approach is required to ensure security. Each update to OSS must be meticulously scanned and reviewed. Blindly trusting updates from even reputable groups is no longer viable, especially when the software could be integral to critical systems, such as medical devices.
"Think of all the medical devices that are out there. There's a lot that's going on in the world and those supply chain attacks are happening more and more every day and we just haven't seen them yet. We haven't found them yet."
The XZ backdoor incident is a recent example that highlights the critical importance of vigilance in software supply chain security. This case involves the insertion of a backdoor into open source code, which went undetected for a period, posing significant risks to any systems that integrated the compromised code.
What Happened?
"Somebody noticed there was a difference in the speed of an action that was happening. And so that person investigated it and they found out that there was a backdoor that had been inserted into open source code."
The XZ backdoor was discovered when a developer noticed an unusual difference in the speed of an action within the software. Upon investigation, it was found that a backdoor had been inserted into the open source code, allowing unauthorized access and potential control over affected systems.
Cassie's Insights on the XZ Backdoor
Cassie Crossley provides a detailed perspective on the XZ backdoor incident. She emphasizes the need for rigorous inspection and continuous monitoring of open source components to prevent such vulnerabilities.
On the Importance of Vigilance:
"You have to be very diligent about looking at that open source, scanning it, reviewing it and then doing that every time you do an update."
While the Software Bill of Materials (SBOM) is a valuable tool in identifying and managing software components, Cassie points out that it alone would not have detected the XZ backdoor. The SBOM can help trace the presence of specific versions of software, but it requires additional measures to identify malicious code.
"The software bill of materials would not have told you whether that backdoor was in there. Really the only way you could have known is if you did that code inspection because there wasn't anything knowing to look out for it."
The XZ backdoor incident underscores several critical lessons for organizations:
"Go in and check who is the committer, what else have they committed on projects to, you know, are they going to be reliant? And when you're looking at all of this is if you need to branch the code and take ownership, do you understand it?"
"You need to think of it almost like it's a child. Now. There's somebody you know that they use the term free puppies when it comes to open source. But if you're putting this together, you know, you have a responsibility and accountability to maintain that product throughout."
Another topic we discussed with Cassie is how governance plays a pivotal role in ensuring the security of the software supply chain. Effective governance (including API governance, which we talked about previously in our blog) frameworks help organizations manage risks, enforce policies, and maintain compliance across all stages of the supply chain.
Cassie emphasizes that governance is not just about setting policies but also about continuous oversight and management of third-party risks. She highlights the evolution of governance frameworks and their critical role in supply chain security.
"We ourselves were a governance function. It was just an overlay. So there were things that didn't quite fit. And I was really just honored when NIST came to me and said, hey, we want you to present on the panel about third-party governance."
"The NIST Cybersecurity Framework (NCSF) had little pieces here and there that talked about suppliers, but it did not have this govern function. So I rolled out NCSF into our company 7-8 years ago when I first joined the CSO team and we said, how are we going to judge the maturity of our security program?"
The NCSF 2.0 introduced a dedicated "Govern" function, which underscores the importance of governance in managing third-party risks. This function helps organizations establish and maintain a comprehensive governance structure that includes policies, procedures, and oversight mechanisms.
"The NCSF and just everybody in general, you know, we've been talking about, do you have an IT cybersecurity posture, but it's really about supplier management. So by adding that governance function in there, it's just starting."
Cassie shares her experience in implementing governance frameworks within Schneider Electric and the challenges associated with it:
Continuous Improvement:
"We have evidence-based examinations now of our suppliers, the ones that provide software or that may impact our software. So if they're part of the supply chain in that sense, we ask them those kinds of questions and we're going to see that more and more, but it's going to take a long time."
Third-Party Risk Assessment:
"I created a third-party risk assessment program over three years ago where we checked evidence because from a secure development life cycle, I can't say, does this ISO 27001 certification ask anything about secure development? It doesn't say, do you have secure coding rules? It doesn't say, do you train your developers? It doesn't say, do you protect the development environment?"
Measuring Maturity:
"We measured ourselves and aligned programs to that, but we ourselves were a governance function. It was just an overlay. So there were things that didn't quite fit."
Policy Development and Enforcement
Governance frameworks should include clear policies that define security requirements for all third-party suppliers. These policies must be enforced consistently to ensure compliance.
Continuous Monitoring and Assessment
Regular assessments and continuous monitoring of third-party suppliers are crucial. This includes evaluating their security practices, conducting audits, and ensuring they adhere to established policies.
Collaboration and Communication
Effective governance requires collaboration between various stakeholders, including procurement, IT, security teams, and third-party suppliers. Open communication channels help in addressing issues promptly and maintaining a robust security posture.
Training and Awareness
Training programs for developers and other stakeholders are essential to ensure they understand the importance of supply chain security and their role in maintaining it.
Cassie emphasizes the importance of diligently inspecting open source code before integrating it into products.
"You have to be very diligent about looking at that open source, scanning it, reviewing it and then doing that every time you do an update."
2. Secure Development Environments
Ensuring that development environments are secure is crucial. This includes protecting build environments and virtual machines from unauthorized access.
"The build environment and all of that cybersecurity experts are not even touching those environments, those are being constructed by us as developers."
3. Continuous Monitoring and Maintenance
Regularly updating and maintaining software libraries and dependencies is essential to mitigate vulnerabilities.
"You definitely should be updating those libraries and some, some of them may say, you know, depending on the security level of, you know, let's just say, you know, we're trying to address this vulnerability but we wanna wait one more release."
4. Implementing Secure Coding Practices
Training developers in secure coding practices and ensuring they follow these practices consistently can prevent many vulnerabilities.
"We have a very extensive training program for secure development. We have secure coding tools, we have this and that. So they're seeing it as they go through."
5. Utilizing Software Bill of Materials (SBOM)
Using SBOMs helps in tracking and managing the components used in software, making it easier to identify and address vulnerabilities.
"The software bill of materials will let people know. Yes, this product with this version, if it had this exact version, it was compromised."
6. Threat Modeling
Conducting threat modeling exercises helps in identifying potential attack vectors and mitigating them early in the development process.
"What I really see is you're thinking about it, you know, what are the attack paths before I start it?"
Cassie also shares her perspective on the future of supply chain security, highlighting emerging trends and the evolving landscape.
1. Increased Focus on Governance
Governance will continue to play a critical role in managing supply chain security, with frameworks like the NIST Cybersecurity Framework (NCSF) evolving to include more comprehensive governance functions.
"The NCSF and just everybody in general, you know, we've been talking about, do you have an IT cybersecurity posture, but it's really about supplier management."
2. Adoption of AI and Advanced Tools
The use of AI and advanced tools will become more prevalent in detecting and mitigating supply chain security risks.
"We're gonna see AI help that there's a lot of new platforms and a lot of new startups coming out where they're improving the scan ability and the reach ability of code and being able to detect these things."
3. Ethical Hacking and Pentesting
Training developers in ethical hacking and pentesting will become more common, helping them understand and defend against potential attacks.
"I think every developer should take probably a pentest course and become an ethical hacking course to really understand the offense, you know, how to become better in the defense."
4. Enhanced Collaboration
Collaboration between developers, security teams, and other stakeholders will be crucial in addressing supply chain security challenges.
"It shouldn't be us versus them when it comes to development and security, you really need to examine all the development teams do what they need to do to be able to get that."
Ensuring supply chain security requires a multifaceted approach that includes thorough inspection of open source code, securing development environments, continuous monitoring, and implementing secure coding practices. The future of supply chain security will see increased focus on governance, adoption of AI and advanced tools, ethical hacking training, enhanced collaboration, and continuous improvement. By following these practical steps and staying ahead of emerging trends, organizations can better protect their supply chains and mitigate security risks.
💡Want to learn more? Discover the following articles:
*** This is a Security Bloggers Network syndicated blog from Escape - The API Security Blog authored by Alexandra Charikova. Read the original post at: https://escape.tech/blog/software-supply-chain-risks/