While it may sound unintuitive at first, software has a supply chain just like any physical good.
Though it is perceived as intangible lines of code, software has a long, complex supply chain starting from the writing and documentation of code, its distribution and delivery, licensing, and finally reaching the customer. The term reached mainstream attention with massive hacking attacks on Solarwinds and Kaseya that exploited vulnerabilities in the software supply chain to cause enormous security, privacy, and business headaches. It was a reckoning for the software industry to pay closer attention to the software supply chain.
The genesis of software comes from elements like the code, external libraries, third-party tools, and open source repositories. From there, it is assembled into a program by software engineers or programmers, tested, documented, disseminated, and used by customers. Similar to a physical supply chain, this process involves multiple parties that can participate in one aspect of the software supply chain. There could be multiple teams of developers involved in the assembly portion that must be managed effectively to meet schedules on time and ensure that the rest of the product will be on time.
Though software may not need to be assembled and moved physically with trucks and boats anymore to reach its final destination, it can still be bottlenecked and delayed if the software supply chain is not smooth.
As it is a complicated chain of logistics, development, and distribution often involving many parties, a software supply chain also leaves security susceptible to hacking and source code injection due to creating many surfaces for attacks. Furthermore, the use of application programming interfaces (APIs) to make it easier for partners and customers to access code also means it is easier to attack flawed software via those same APIs.
Because the vast majority of software today uses open source code, significant portions of ‘new’ applications might not be written directly by the developer. This could lead to unnoticed security holes if the developer is not aware of the software supply chain. It is a problem that the software industry appears self-aware of, with a survey commissioned by ReversingLabs finding 98 percent of its respondents agree that third-party software use like open-source software increases security risks, yet only 37 percent said they can detect software tampering in their software supply chain. A mere seven percent said they detect software tampering during their entire software development lifecycle.
To resolve software supply chain vulnerabilities, solutions include constantly patching open source code, securing the continuous integration and continuous delivery pipeline, constantly testing and monitoring deployed applications, and providing customers with a software bill of materials (SBOM) that lists all the components of the program or application for the sake of transparency.
The edge computing angle
Organizations such as the National Institute of Standards and Technology (NIST) are working on reducing the attack surface at the hardware layer by creating a blueprint for hardware-based security techniques and technologies to reinforce server platform security and data protection for cloud data centers and edge computing.
Edge computing and IoT adoption will mean the enterprise IT environment attack surface potentially gets larger. More operating systems, more applications, and ephemeral compute environments will make software supply chain security an important issue for edge computing vendors and developers to address.
API | DevOps | NIST | security | software supply chain