Taking Back Control of Today’s Software Supply Chain
By Jasmine Noel, Senior Product Marketing Manager, ReversingLabs
Supply chains are under attack. Malicious actors perpetrating these breaches will continue to succeed until security teams abandon common myths and misconceptions around these risks in favor of a more holistic fact-based approach.
While this threat has existed for a long time, the focus on supply chain attacks has grown in intensity just recently. It started late last year with the SolarWinds SunBurst attack and was followed by a steady stream of attacks in early 2021, including Microsoft Exchange and Codecov. In fact, according to the Identity Theft Resource Center (ITRC), supply chain attacks in the U.S. rose by 42% in Q1. Since then, they have continued with the latest attack taking place just recently over the July 4 holiday against IT management software vendor Kaseya.
There are several reasons why businesses remain susceptible, which include four key misconceptions that undermine software development and open the doors for costly attacks. A new Interos Annual Global Supply Chain Report, reveals that global supply chain disruptions caused by breaches, as well as COVID-19 and the Suez Canal incident, cost large companies, on average, $184 million a year. The report also found that 83% of businesses have suffered reputational damage because of supply chain problems.
The good news is that businesses are looking more seriously at defending themselves against supply chain attacks. A ReversingLabs study found that awareness is up with 52 percent of respondents believing that securing against supply chain attacks is needed. Less promising, however, are findings that show 30 percent of respondents are not confident that software is being released and accepted without malware.
This brings us back to the myths and misconceptions that help to perpetuate the issue of a vulnerable supply chain. Let’s take a look at the four most prevalent myths that continue to prevail throughout the industry, and explore why they are not true, how teams can reverse course, and what solutions are available to help businesses take charge right now.
Myth 1: Scanning Source Code is Enough
While it is true that source code analysis is effective, this really only applies to assessing the quality of written code for vulnerabilities early on. Here’s the challenge. Much can happen across the entire development process where multiple owners and software components introduce gaps and risks. This happens when they add and modify source code, which they assume is secure simply because it’s coming from a trusted source.
These actions immediately open the door for threats and attacks, more of which are originating from these unconventional sources. For SolarWinds the source was a build server. Further complicating matters is that static and dynamic scanning don’t deliver a complete view of how malicious software packages can behave and if software is already compromised, SAST/DAST/SCA and VM won’t help.
The action here is for businesses to begin assessing all software components beyond known vulnerabilities using a more comprehensive and automated scan process across repositories and libraries.
Myth 2: You Only Need to Scan Binaries for Malware with AV
Today’s modern software packages and installers operate outside the scope of many AV and other scanners. This includes application security tools. In addition, many files are simply too large or have components, such as containers, that extend beyond the scope of these scanners.
Currently there is no known signature for novel backdoor malware, which is malware that is well-hidden and obfuscated within the code base and can bypass normal authentication or encryption. This creates a challenge because binary scans don’t address many security weaknesses that can lead to a breach or breakdown, such as authentication and the insecure use of crypto.
What this means for security teams is that they must examine ALL files and identify suspicious indicators of compromises (IOC). Beyond that, they must also examine all build and container files for malware and occlusions, including packages and installers larger than 1GB.
Myth 3: You Can Trust Certificates and Code Signatures
Certificates and code signatures essentially verify that a piece of code or a web application is secure. This may sound good on paper, but when attackers gain access to an enterprise and a core build server, teams will find that certificates and code signatures are insecure or have been manipulated or compromised.
Another growing threat are fake certificates which can validate malicious code and even steal private keys. Security teams must regularly inspect all crypto certificates. This includes examining the corresponding chain of trust for reputation, validity, and signs of a compromise.
Myth 4: If it Was Malware-Free at One Point, It’s Always Malware-Free
Today new types of malware are constantly emerging and to make matters worse, it’s coming from trusted sources that make it increasingly more challenging for detection to keep up. Adding insult to injury, other types of malware, which have been in place for some time, can suddenly change disposition from an unknown state to bad. This is why patching has become a widely used practice in keeping machines updated and safe from threats.
Whichever form of malware you’re dealing with, it often gets introduced as software versions are updated and after that it quickly blends with existing code. This is most common when working with open-source repositories, cloud containers, APIs, IoT, and extended supply chains which ultimately extend the scope of social engineering, including ransomware.
To fight back, teams must adopt a secure software development lifecycle (SDLC) approach that provides scanning and analysis at every stage of software deployment and use.
Mitigating Against Future Software Supply Chain Attacks
Calling out these misconceptions, ReversingLabs recognizes that security and software development teams need help. Businesses are under pressure to get software product releases out the door quickly and without any compromise on the quality. It’s this pressure that causes steps to be missed and corners to be cut. To help improve the security of the software development supply chain we have introduced ReversingLabs Managed Software Assurance Service.
Built on the foundation of our Titanium Platform, the on-demand offering provides businesses with an advanced analysis that can examine in-house developed or third-party software packages for signs of tampering and malicious or unwanted additions, all before they are released to customers or across the enterprise.
Customers simply upload software packages requiring analysis via a secure channel to ReversingLabs. Once complete, the ReversingLabs team analyzes, interprets and provides guidance. Specific services provided include:
- Deep inspection for malware and post exploitation vulnerability presence through recursive package decomposition, extracting all possible components for advanced analysis.
- Software grading based on code signing process and application hardening using software vulnerability mitigation techniques.
- Analysis reporting that describes a full and validated software bill of materials, software quality metrics, malicious behavior and explainable insights tracked across software versions.
- An audit report in both machine-readable and human-readable formatting for all embedded files.
- Designated ReversingLabs research analyst to verify whether software is fit for its purpose and safe to put in production.
Once complete, our team analyzes and interprets the package and then provides developers with clear and accurate information on their builds. In the end, by analyzing the files for malware and highlighting the differences, our service can help prevent these attacks before the software is released to the end-users.
In an increasingly software driven world, the onus is squarely on companies to take the proper steps to mitigate supply chain threats. The process includes gaining greater awareness into best practices as well as access to new offerings such as our Managed Software Assurance Service. By leveraging best practices , teams can achieve the 100 percent confidence that the software they‘re sending out is malware free.
About the Author
Jasmine Noel is Senior Product Marketing Manager at ReversingLabs. Her career began as an industry analyst covering IT technologies. She then founded Ptak, Noel & Associates to provide research and marketing services to Fortune500 and startup technology firms. Prior to ReversingLabs, Noel also held product marketing roles in growth companies, including Veracode, Corvil and NS1. Jasmine can be reached Twitter at @ jnoel_work_life and at our company website http://www.reversinglabs.com