Skeletons in the software closet: discovering vulnerabilities in the supply chain


Cyberattacks within the supply chain are on the rise, with research from IBM demonstrating that 19 percent of all breaches originate within supply organisations. The findings are perhaps not surprising as supply chain attacks tend to be seen as gateways to multiple networks, making them attractive to malicious actors.

The impact of a successful breach can be widespread and damaging, given how much software depends on common libraries and platforms. If a malicious actor can influence the update cycle of a vendor’s software it can then be passed on to affect a significant number of organisations, spanning a wide range of sectors.

Why supply chains make good targets

Cyberattackers tend to look for the simplest attack which can yield the greatest rewards. Large organisations often dedicate significant resources to building out their security teams and implementing technology to improve defences. This means each organisation can take a lot of time and effort to be compromised by a threat actor. However, if a threat actor puts that same amount of time into compromising a vendor within the supply chain, once penetrated, they now potentially have access to a wide pool of lucrative targets.

The type of threats involved can vary and typically refer to incidents in which a malicious actor has modified source code as a result of an initial breach, as observed in the high-profile cases of SolarWinds or Codecov in 2020 and 2021. Though, leaving unpatched vulnerabilities within underlying frameworks and building on weak code-foundations can have just as significant an impact. Perhaps the most notable example is the Log4j vulnerability, disclosed in 2021. Left unfixed, it enabled attackers to break into systems, access sensitive data, and infect networks with malicious software.

Now, just over a year on from Log4j, the risk of another software breach is only expected to increase as threat actors continue to search highly used software frameworks and libraries for vulnerabilities to subsequently exploit. It is therefore even more crucial to continue to evaluate and re-evaluate the security posture in underlying frameworks, which make up the software supply chain of the products we use in our organisations.

Identifying the skeletons

Like all aspects of technology, there is constant change in the attack surface and in the impact a vulnerability can have as the platforms evolve. This holds true when dealing with the software supply chain. A vulnerability at the time of its initial discovery may be perceived to have little or no impact based on the current landscape. As technology and usage of the software which contains a vulnerability evolves, so does the threat. A recent illustration can be found in Trellix’s rediscovery of a 15-year old vulnerability in the Python tarfile module, which was found to be present in over 350,000 open-source projects and prevalent in closed-source projects. Fifteen years ago, this bug wasn’t part of a vast software supply chain, however attack surfaces have changed along with what can be accomplished with such a minor issue. Today this bug could be the entry point an attacker needs to compromise a network. While Trellix was able to submit pull requests to patch over 61,000 of these open-source projects, the research showed that if left unchecked, vulnerabilities can create a substantial software supply chain attack surface.

Unfortunately, an old vulnerability becoming a new threat is not as unusual as we would hope. Not all frameworks, libraries and software development kits (SDKs) have the resources to keep pace with regular security audits and modifications required to ensure their security resilience. This is particularly the case in open-source projects, as they often lack dedicated staff and resources to implement required security measures. As a result, any organisation using code libraries and frameworks in their applications is at a potential risk of attack. It is therefore crucial for the industry to work collaboratively to bolster security measures to focus on the root cause of the threat. With full transparency of the supply chain, potential vulnerabilities in the software can be identified to protect organisations.

We must keep looking

It is crucial for the industry to stay one step ahead of supply chain threats by addressing as many reported security issues as possible while continuing to look for vulnerabilities. With the potential to compromise a trusted software system and impact the entire supply chain, it is imperative that developers are educated on all layers of the technology stack to identify weak points and prevent the reintroduction of past attack surfaces. By carefully considering potential security implications that come with utilising and integrating third-party software, development teams can better protect organisations which use their software.

There is also an urgent need for organisations themselves to ensure proper checks and evaluation of libraries and frameworks are in place which can be accomplished through a well-defined product security testing programme. This will provide organisations with full transparency of their software supply chain, so they can better identify foundational weaknesses. Addressing software vulnerabilities is integral to defending against potential future breaches, but this is only part of the solution. Collaboration within and between industries will be critical to keeping data safe.

Industries cannot afford to ignore the risks posed by skeletons in the software closet. It is crucial to seek out and eradicate foundational vulnerabilities and, even if it takes some time, mass patching of open-source projects is a reasonable solution. Ultimately, taking a proactive approach to security will pay dividends in the long run.