Cybersecurity Risks in the Software Supply Chain

The supply chain has experienced many problems over the last several years, and now the software supply chain is facing problems of its own as bad actors try to access vulnerabilities.

No matter what channel you turn on, there’s probably something about the supply chain in the news. From COVID-19 lockdowns to a rapid surge in consumer demand to a shortage of workers, the last couple of years haven’t been easy on the global supply chain — and it’s affecting everything from semiconductor availability to critical systems upgrades. When we talk about supply chain issues, that’s what we usually think of. But did you know that’s not the only important supply chain affecting day-to-day life?

While a traditional supply chain refers to anything required to deliver a product, including ingredients, materials, packaging, and trucks, the software supply chain is a separate piece of the puzzle that’s defined as anything that affects your software. That includes developers, custom code, open-source software, DevOps tools, and more. Given its importance, it should come as no surprise that this less talked about supply chain has become a target of attacks. Read on to learn more about the attacks and what we can learn from them.


All About Software Supply Chain Attacks

Software supply chain attacks occur when bad actors infiltrate your system and spread malware via an external partner, provider, or software repository that has access to your systems and data. Given how many companies rely on suppliers, service providers, and software repositories, software supply chain attacks have become increasingly common.

The high-profile SolarWinds attack from a couple years ago is just one example of a recent software supply chain attack, and things have only gotten worse since then. In 2021, the software supply chain attack threat was over three times higher than in 2020. That means that businesses not only need to be wary of commercial software vendors, but they also need to protect themselves from open-source software projects that have been attacked and products that have been altered by governments, all of which can pose major risks.

Nowadays, you should be particularly concerned about the open-source supply chain threat. After all, 90% of all applications contain open-source code. Worse still, 11% of those open-source codes have known vulnerabilities. Some cybercriminals have even started proactively compromising open-source software and code development and distribution to create difficult-to-detect vulnerabilities. How? All it takes is for a single bad actor to gain access to a developer’s email account. They can then generate password reset emails, take over the account, and publish malicious updates that affect all software that uses that library. Suddenly, previously secure open-source software can have major vulnerabilities that affect millions of users.

Unsurprisingly, software supply chain attacks are popular with all sorts of cybercriminals these days because all it takes is a single operation to gain access to several organizations and devices. It saves them time since once they compromise one commonly used software, they can hypothetically gain access to every single enterprise using it. After all, many developers rely on third-party code and libraries to accelerate development and cut costs, but they rarely review the software or code themselves to ensure it’s secure, instead just taking that for granted.

For cybercriminals, it’s a dream come true. For us, it can quickly become a nightmare and lead to cyberespionage, financial crime, and compromised systems.


Current Risks At Code Repositories

So, where are these attacks occurring? Right now, cybercriminals are heading to code repositories to compromise developer accounts with ease. Currently, there are a few repositories that store large amounts of developer data that could be popular targets for bad actors. These include:

  • Node Package Manager (NPM): Specific to JavaScript, this code repository provides over two million packages that contain metadata, such as descriptions, links to the packaged archive files, and developers’ usernames and email addresses — a potential treasure trove of information for a successful hacker. While recent independent security audits found that NPM has effective security measures in place to prevent cybercriminals from extracting domain names from email addresses, the shere size of this repository means it will likely continue to be a target even if, for the time being, the desired information seems to be well-protected.
  • The Python Package Index (PyPI): While developers’ email addresses aren’t automatically displayed publicly with PyPI, a developer might enable others to see their email address for feedback, suggestions, and reports. Between the high number of PyPI users opting to display their email addresses and the fact that multi-factor authentication is not enabled by default, it shouldn’t be surprising that account takeovers have occurred at PyPI in the past. Luckily, the top 1% of projects at PyPI will require multi-factor authentication via hardware security keys moving forward. While this is far from a foolproof fix, it should make it significantly harder for bad actors to access those accounts.
  • RubyGems: RubyGems is a repository for Ruby developers. Like PyPI, it’s susceptible to account takeovers. While RubyGems similarly hides developers’ email addresses by default, some gems have a maintainer file that indicates the developer’s email address. With around 172,000 packages in the repository, there are certainly enough opportunities for cybercriminals to disrupt the software supply chain. RubyGems, like PyPI, will also be enforcing multi-factor authentication for the top developer accounts from now on.


Protecting Your Business From Software Supply Chain Attacks And Reducing Risks At Code Repositories

Since 66% of supply chain attacks focus on the supplier’s code, you can drastically reduce your business’ risk of becoming the victim of a software supply chain attack by independently validating third-party code and software. This will allow you to see whether or not a code has been tampered with before you use it.

It’s also a good idea to vet software vendors. Ask about their code verification mechanisms, security practices, and general security framework beforehand to ensure their operations are compatible with your business and your needs. Don’t be afraid to ask hard questions because your organization’s security is at stake!

Staying on top of patches can also help protect your organization from software supply chain attacks, as can segmenting systems running specific software from the rest of their internal network. This way, if an incident does occur, the attacker won’t be able to access your entire network automatically.

On the code repository side, repositories can stop revealing developers’ and maintainers’ email addresses. Instead, they can assign each developer an email address at the repository’s domain. Repositories could also issue code signing keys and enforce multi-factor authentication, making it impossible for attackers to use developers’ expired domain names.


Protect Your Organization With TTI’s Help

The rise in software supply chain attacks is a reminder that there are potential vulnerabilities at every level. Not only can cybercriminals reach you through standard methods like phishing or installing malware, but they can also alter the very code you use. If you aren’t paying attention to your third-party or open-source software, bad actors can and will take advantage of that. It’s critical that you take every possible precaution to keep that from happening.

The good news is that Turn-key Technologies, Inc. (TTI) can help. Our team of experts has been helping protect organizations from cybercriminals for decades, and we can deliver, manage, and maintain top-of-the-line cybersecurity solutions to do the same for you. With TTI’s help, you can protect your organization from software supply chain attacks and other cybercrimes, so you can avoid data breaches, financial losses, and more.

To learn more about mitigating cybersecurity risks in the software supply chain, speak with our team today!

By Tony Pugielli


Sign up for the TTI Newsletter