SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Time to rethink how to fix software supply chain vulnerabilities
Mon, 7th Nov 2022
FYI, this story is more than a year old

As 2021 drew to a close, many IT teams were in for a rude surprise just before they headed into their year-end holidays.

The Log4Shell vulnerability that hit countless servers across the globe would need urgent remediation, so the experts had their leave frozen and returned to find where to place the band aid.

A year later now, many are still trying to make sure the vulnerability, which affects Java enterprise applications used in so much of today’s modern IT infrastructure, is not lurking somewhere in their systems, ready to spring another surprise this holiday season.

The problem is finding the right place to apply a patch or fix the loophole. By some calculations, more than 35,000 Java packages or 8% in the Maven Central repository, have been impacted by the Log4Shell issue.

Look beyond Java to the many pieces of third-party code that modern IT systems use today and it is easy to imagine what kind of headaches face IT teams today. There is simply too much to sieve through to find a solution, and you cannot fix what you cannot see.

Today, an estimated 40% to 80% of the lines of code in software come from third parties such as libraries, components, and software development kits (SDKs). So, unsurprisingly, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to research firm Gartner.

More automation, visibility needed

Today, there is an industry built for cyberattacks, with specialists on the Dark Web ready to take on specific roles in a ransomware attack, from crafting the phishing message to collecting the ransom. If the bad guys have already developed such an elaborate supply chain and weaponized malware as a criminal tool, businesses surely must up their game for their own software supply chain.

What they need are tools that deliver increased automation and offer visibility into their IT systems that they did not have previously. This means being able to find the vulnerabilities in their software supply chain more easily instead of manually searching for them.

What should a vulnerability detection tool help to do? There are so many components in a software supply chain so let’s narrow down to Java software in particular and list the features to look out for:

  • Ongoing detection: Continuously assess application-level exposure to vulnerabilities in production without the need for source code. Compare code run against a Java-specific CVE database.
  • Eliminating false positives: Monitor code executed by the Java runtime (JVM) and generate accurate results that traditional tools do not uncover.
  • Transparent performance: Avoid a performance hit with additional agents that add overheads to the production system. Find a solution that runs in an agentless manner.
  • Thorough checks: Make sure the tool runs across all versions of the Java software found on one’s systems, to avoid missing out on loopholes.
  • Historical traceability: Have a history of components and code used so forensic efforts can be more focused to check if vulnerable code had led to an exploit.

Coping with a complex environment

Ultimately, businesses need better observability and increased automation in an increasingly complex IT environment. Doing things manually is no longer possible. The software that is running in production every day needs to be closely monitored and observed in a highly granular manner as malicious actors increasingly seek to go deeper into the software supply chain to gain access to victims’ systems.

Besides the Log4Shell issue, which was described by the United States Department of Homeland Security as one of the most serious software vulnerabilities in history, cyber attackers have found new ways to penetrate software supply chains. They are a lot more brazen in the way they mount attacks as well.

Earlier this year, users of a Chinese message app, MiMi, were served a fake version spiked with malicious code that could allow an attacker to take over the software remotely. This meant they could spy on what users were chatting about.

What made this remarkable was that the attackers managed to take control of the servers that delivered the app to users. They added code to the app, removed the real version, and tricked victims into downloading and installing the app unknowingly.

While this was not a Java-based issue, it showed how serious software supply chain vulnerabilities have become in recent years and how difficult it was to stem the tide against such attacks.

There is also the issue of trust. Much of today’s digital services depend on a multitude of third-party software suppliers, from open-source repositories (where attackers can also plant malicious code) to packaged apps that are installed on devices in an enterprise.

Against this backdrop, businesses need to adopt a smarter way to ensure that their digital efforts do not get derailed. It’s important too that they should not get bogged down by security measures that are too onerous and damage the customer experience.

They should seek out streamlined solutions that can automatically detect threats without slowing performance, thus developing the agility that’s needed in a competitive market.