Article

Application Security and the Software Supply Chain

The software supply chain could be putting your application security at risk. According to Microsoft chief executive Satya Nadella, in the near future “every business will become a software business.” By leveraging the right applications and data, companies of all sizes and industries can make smarter decisions to beat their competitors and better serve their customers.

The problem in terms of application security, however, is that in many cases it’s not your own software you’re using. Nearly every organization makes use of applications from third-party vendors and suppliers, in what businesses like to call the “software supply chain.”

Over the past few years, we’ve seen a worrying rise in “supply chain attacks” that take advantage of these relationships between software vendors and their customers. For the strongest cybersecurity posture, companies must not pay attention to not only their own IT security, but also that of their suppliers and partners. In this blog post, we’ll discuss why you’re only as safe as the company you keep when it comes to application security.

What is a Supply Chain Attack?

Because you’re not automatically privy to the security practices of third parties, it’s easy to assume that the vendors and partners you deal with are completely secure and doing everything right. However, a recent series of high-profile cyber attacks have exposed the deep-seated problems with this presumption.

In 2014, for example, Home Depot suffered a massive data breach that exposed 56 million payment card details. Investigators later discovered that the hackers entered Home Depot’s IT systems using the login credentials of a third-party vendor.

Magecart, an attack that targets e-commerce sites and steals credit card data, has been well known for a couple of years now. In the early days, Magecart groups would look for common vulnerabilities on websites as a way to install the skimming software. Last year, these gangs upped the ante by injecting Magecart into third party code used by Ticketmaster for customer support during checkout.

As these headlines illustrate, a supply chain attack takes this idea of third-party vulnerabilities to the next level by embedding flaws and malware into a third-party or open source software. The attack then makes its way down the chain, implanting itself in the companies that use this software as well.

With the ubiquity of open source code use in software development, and the need for companies to create a seamless user experiences through integrations, the software supply chain is an attractive target. Companies must remain vigilant in assessing potential vulnerabilities in their own code, including open source libraries. In addition, they must also pay attention to the privileges given to third-party vendors and partners.

 

Read the full article on The Cybersecurity Place

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.