Many open-source developers lack the resources to properly verify their code, and the associated risks are inherited by any user of that code. There have been several well-publicized instances of malicious actors pushing modified code into common libraries, in the hope that those libraries will be adopted by projects with weak controls. Organizations must be responsive to these types of attack and ensure robust dependency management.
What SolarWinds taught us
The SolarWinds hack is the best-known example of a supply chain breach. A group of hackers, identified as Nobelium, inserted malicious code into the SolarWinds Orion system, creating a backdoor the hackers could use to impersonate privileged accounts inside the organizations using the Orion product. This also permitted access to system files and other digital assets and proved difficult to detect because the traffic generated appeared as legitimate SolarWinds activity.
SolarWinds was an attractive target for supply chain attacks because their customers include large global companies and government agencies, and the nature of the software requires privileged accounts and broad access. A single compromise of code could, and did, result in breaches of countless systems belonging to thousands of customers. And SolarWinds customers were not the only ones affected. Once the compromise exposed Orion users, the same backdoor could be used to access the networks and data of downstream customers and partner organizations, allowing the blast radius to expand exponentially.
This breach demonstrates the risks of poor CI/CD security. Malicious actors gained access to the SolarWinds development environment and inserted malicious code into an update. That malicious code was accepted, digitally signed by the company and pushed out to customers. This breach shines a light on the advantages of shift left security practices and the importance of securing the software supply chain.
Supply Chain Risks in Development Environments
A supply chain attack happens when a threat actor compromises a software product before that product is distributed to customers. That compromised software then compromises customer systems, allowing access to systems, data, and other digital assets. The vulnerabilities may take several forms:
Malicious code added by an attacker may compromise a software product from the outset, or via an update. Malicious code exploits common system vulnerabilities, and may take the form of a virus, backdoor, worm, trojan, or script. Malicious code may be introduced via compromise of developer IDE by email attachments, browser plugins, suspicious links and other active content and other sources. Once introduced, malicious code may access data, compromise systems, create nuisance, or hold digital assets to ransom.
Use of insecure/malicious dependencies can result in vulnerabilities being introduced via open-source code. A threat actor inserts malicious code into code available on third-party repositories, which unsuspecting developers then add to their own code to perform specific functions. The malicious code typically contains the original function, plus the introduced exploit. The code behaving superficially as the developer expects reduces the likelihood of the malicious code being detected. Developers of proprietary code can also be impacted by open-source code compromises, because developers routinely leverage blocks of open-source code in their products to save time and effort.
Vulnerabilities introduced by poor coding practices include privacy violations, insecure storage, insecure transport, insecure deployment, poor logging, and exposed secrets. The majority of vulnerabilities introduced by poor development practices stem from a small number of common programming errors resulting in flaws in logic, bugs, and defects. Despite knowing they exist, these same errors persist, and it is time that software development became secure software development. Properly implemented security throughout the lifecycle can minimize the frequency and impact of such vulnerabilities.
The potential for threats to emerge at any stage in the software development lifecycle makes the ability to detect and mitigate vulnerabilities essential to successful and secure application development that safeguards the organization, and its customers.
Managing Supply Chain Security Threats
Keeping your application development secure means performing vulnerability scanning throughout development and the application lifecycle, from the developer’s workstation, through the CI/CD deployment mechanisms, through to production workloads and finished software products.
Provide developers with the tools they need with Wiz. Give developers visibility of their applications and supporting infrastructure with pre-built integrations and customizable automation to route issues to the right remediation team. Single-policy framework integration extends to the CI/CD pipeline to prevent vulnerabilities in development becoming issues in deployment.
Wiz provides deep analysis to detect sophisticated and hidden risks quickly, as well as discovering complex chains of exposure and lateral movements in attack paths to protect digital assets. Scan at runtime to identify vulnerable and non-compliant artifacts, whether active or not.
Continuous monitoring for vulnerabilities, exposed secrets, and malware as well as enforcement of secure configurations mitigates threats to the software development lifecycle. Using a comprehensive engine that integrates Cloud Infrastructure Entitlement Management (CIEM), Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWPP), Infrastructure-as-Code (IaC) scanning, and Kubernetes Security Posture Management (KSPM), means comprehensive scanning, detection, analysis and mitigation. With an agentless configuration that means no impact to performance or velocity.