How Secure Is Your Software Supply Chain?

The SolarWinds hack was a wakeup call for business leaders to take control of software security.

SolarWinds is climbing the league table of infamous hacks. It even has its own Wikipedia page.  

Revelations of its full breadth and depth continue to escalate, as do the alarm bells ringing throughout government and industry. One cybersecurity CTO called it “perhaps the most sophisticated and wide-reaching cyber-campaign we have ever seen.”   

Yet from an enterprise standpoint, the scariest part of the SolarWinds breach isn’t the degree to which malicious Russian actors allegedly compromised secure government systems or the stealth with which they did so. Rather, it’s the reality that the vast majority of organizations are similarly vulnerable to what’s known as a software supply chain attack—an attack vector that utilizes a trusted third-party to gain access to an organization’s systems.  

As it stands, the next SolarWinds attack is a matter of when, not if—and the next breach could be far more damaging than just infiltration and espionage.  

As organizations rapidly digitize, SolarWinds is a wake-up call for leaders to secure their end-to-end software supply chain.   

The digital economy is just like the physical one 

Just as COVID-19 exposed the lack of visibility into the end-to-end physical supply chain, SolarWinds exposed similar opacity in our digital supply chain.  

This is hardly surprising considering the similarities between the two. While a physical supply chain consists of processes that source raw materials and convert those materials into a finished product, the software supply chain consists of processes that source code, applications, and systems so an organization can operate as it needs.  

SolarWinds supplies software that lets an organization see what’s happening on its computer networks. Hackers inserted malicious code into an update of that software called Orion. According to SolarWinds, around 18,000 of their customers installed the hacked update onto their systems, including the U.S. Treasury and Commerce departments and a host of unnamed government agencies.  

 [How resilient is your business? Take the quiz to find out.] 

These attacks are especially hard to defend against because they take advantage of trust and scale. Most modern organizations have hundreds, if not thousands, of technology partners and view the vetting of each individually as too cumbersome. 

Their trust leaves them vulnerable. 

Three pillars of a secure supply chain 

Realistically, it’s nearly impossible to guarantee a completely secure software supply chain, but there are principles organizations can follow that mitigate at least some of the risk.  

1) Vendor transparency and risk analysis 

Vetting software suppliers takes time and effort, but it’s also too important to ignore.   

That’s not to say you need to analyze every bit and byte of each piece of software. Instead, it’s about identifying your vendors and understanding the factors that may affect their reliability, such as past security record or geographic location.  

After the SolarWinds breach, for instance, Reuters reported that multiple criminals had offered access to SolarWinds’ computers dating back as far as 2017. Another red flag: In 2015, the company moved much of its engineering capabilities to Eastern European areas where Russian intelligence operatives are deeply rooted.   

SolarWinds is not the first and won’t be the last vendor to get exposed for operating in a less than secure way. To mitigate that risk, organizations must identify all their software suppliers and understand the security measures they employ.

 2) Security by design 

To ensure the software purchased is secure by design (SBD), organizations should use a secure software framework to evaluate suppliers during buying decisions.  

Refusing to deal with vendors that don’t follow commonly accepted security principles sends a powerful message. This is a critical point because, ultimately, software supply chain security depends on individual actors behaving responsibly. 

In the same way that consumer packaged goods companies encourage fair trade in their supply chains, digital enterprises can—and should—encourage security in theirs.  

3) An integrated approach to risk 

It’s unrealistic to assume a large, complicated software supply chain can ever be completely secure. This is why security leaders must prioritize which pieces of software to investigate thoroughly, perhaps as far down as its source code.  

This must be an executive-level decision because it requires deep understanding of an organization’s mission-critical outcomes. It also requires an understanding of the holistic risk environment—of which the software supply chain is just one part— and available resources. 

Things often go wrong when organizations categorize software supply chain as a purely technical issue and kick it over to the IT department. Instead, responsibility must be shared with the business, which needs to identify the most critical outcomes and business services.  

By linking these outcomes and services to the technology that supports it, you can focus your attention on the right problems and determine the depth of investigation required to solve them.  

If SolarWinds has taught us anything, it’s that these investigations must occur. With a Common Service Data Model, organizations can map business outcomes to the technology and its supply chain. In a digital, post-SolarWinds world, this is a level of effort that can no longer be avoided.