Cybersecurity is one of the biggest priorities for modern organizations operating across on-prem and virtual digital infrastructures. According to recent data, small and medium-sized businesses spent north of £280m on it in 2022, testament indeed to its importance in modern business operations.
Many organizations invest heavily in making sure their APIs, cloud infrastructure and hardware is protected from cyber threats. What’s more, we’ve seen a seismic shift in company culture over the last few years to cybersecurity, with many organizations now training whole workforces on the dangers of tried and tested cyber attacks like phishing and smishing emails.
However, even with all of the investment going into preventative safeguarding measures like these, many organizations are still at risk of attack via their digital supply chain.
Supply chain vulnerability
Firstly, we need to ask, what exactly are the vulnerabilities associated with a digital supply chain?
A supply chain attack pretty much does what it says on the tin. Typically, attackers will infiltrate a trusted third-party vendor or supplier that provides products, components, or services to the target organization. In effect, you’re only as secure as the weakest link in your digital supply chain.
By way of example, let’s consider a typical organization’s website. Estimates are that as much as 70 percent of a typical website is produced with the support of third-party and open-source elements – i.e. not produced or developed by the team that releases the software. However, vulnerabilities in code are of equal risk whether they are created by your team, or pulled in from open source and third parties.
Trying to understand where that 70 percent of software does come from is not a straightforward task either. You might know what components you’re directly using, but what about the libraries they use? What about the software that those libraries use?
The same goes for your suppliers. Do you know where they store their data, and how it’s protected? And, what about their suppliers?
As is becoming clear, when taking stock of your digital supply chain, the ability to know the exact boundaries of your risk profile can become extremely muddy. However, there are steps you can take to mitigate the risks.
Assessing the ‘who’ in your supply chain
Understanding where the risks in your third party digital supply chain are is a crucial first step.
When you’re developing your own software, you would ensure that a certain level of testing is in place to make sure it functions as you expect in different situations, and with different input and output.
Similarly, teams will review each other’s code for vulnerabilities, run automated code scans to check for security issues and some might even conduct threat modelling exercises to understand and mitigate risks before they are implemented. That is mostly not practical when it comes to third party software, and in a lot of cases this approach would increase the time and the cost of software development by a huge amount. These are hard problems to overcome, but the key is to evaluate who, rather than what and how.
Look at the engineers and companies building software components before you import them as it will provide a good indicator of how seriously they will take the security of their software. With open source software, infrequent updates or low-code coverage is a red flag of software to be avoided. Also, it worth bearing in mind that those companies that rely on the software they build (for example, the Android OS is maintained by Google and is a key part of their business) are usually much more likely to be quick with updates.
Don’t become your own blocker
While the security risk to the software supply chain is ever-present, it is vital that projects are not impacted by an overly rigid or intransigent approach to cyber. The important thing is to adapt your approach to suit the risks, and embrace new tools and ways of working.
For example, there are many new tools coming onto the market from a broad range of vendors, including Google and Snyk. These adopt more modern concepts like security-as-code and DevSecOps, where issues are addressed much earlier in the development process, and embedding security is much more likely to be conducive to productivity. By reviewing the latest ways to boost the security of software development, developers and engineers can recognize how these can be embedded in their software to protect what is being created.
Don’t take your digital supply chain on trust
Over the years we’ve seen some major security breaches as a result of supply chain attacks. Remember the SolarWinds attack of 2020 that saw attackers input malicious code into the company’s software system? Well, as a result, 30,000 of its customers were also compromised. This is an oft-quoted example when it comes to these types of attacks as it had a huge ripple effect.
Supply chain attacks, although not an obvious first thought for organizations when it comes to planning, building and reviewing their cybersecurity defences, could well be the most vulnerable security spot for many businesses. Put simply, you shouldn’t take your digital supply chain on trust alone and ensure that you’re doing the necessary due diligence to minimise any threat – some examples of which we’ve explored in this article.