How to Prepare for the Next Software Supply Chain Attack

In recent years, cyberattacks have evolved right along with our defenses (to absolutely no one’s surprise). Attackers are looking for, and finding, new and innovative ways to compromise assets and data – from end-user attacks like credential theft and browser-based malware, to cloud-focused attacks that leverage APIs and cloud native services.

Unfortunately, cyber attackers have also discovered how to compromise us through software, which is undoubtedly the weakest link in many corporate environments. Let’s face it: a huge percentage of large enterprises don’t have an accurate or up-to-date software inventory, and we often know very little about the software developers creating, packaging and delivering this software to us.

Just because we purchase software from large, well-known providers doesn’t mean attackers haven’t infiltrated their environments and shipped out something nasty, unbeknownst to the software manufacturer. This is exacerbated when dealing with smaller firms and start-ups – whether packaged software, SaaS or other cloud services – due to their lack of resources dedicated to software security.

In short, the software supply chain is a mess.

Examples of Software Supply Chain Attacks

If you say “SolarWinds” to anyone in IT security, you’re likely to get a shake of the head and a frown – yes, it was that bad. They were owned, they shipped, we got owned, and there you have it – a very elegant malware distribution supply chain at its best.

We’ve seen the crushing impact of the Log4j vulnerability in development environments, and now attackers are loading compromised packages and content to package repositories. Third-party breaches won’t slow down, either. That is until we start to get a handle on who we’re buying software from, where it lives in our environments, what privileges it has, what it has access to – and, most importantly, whether we can trust it in the first place.