Supply chain security has made lots of headlines recently thanks to events like the SolarWinds breach. That and similar events highlight the importance of having a strategy in place to respond to zero-day attacks which can take advantage of vulnerable software components.
I recently organized a webinar with and Teresa Pepper, our EMEA Partner Manager. She and I shared insights on:
- The main challenges that arise from software supply chains
- How those challenges can lead to zero day exploits
- What businesses can do to keep themselves safe
You can check out our complete webinar How to Remediate Zero Day Attacks 3x Faster or continue on for important highlights and key takeaways.
The Challenges of Supply Chain Security
Software supply chain security isn’t a new challenge. It’s existed as long as developers have relied on third-party components to help build software. However, as I explain in our webinar, what’s changed in recent years is the massive shift toward automation within software development. Developers today are trying to automate as much as possible as code moves down the development pipeline.
As a result, it’s easier for vulnerabilities to slip into applications. Developers can manually vet every link in the software supply chain before adding it to their codebase. However, when automation tools pull software from various sources and integrate it, the risk of insecure code slipping past controls increases.
Couple that with the fact that security leaders face competing priorities and are being “pulled from all different directions,” as Teresa describes, it’s entirely possible to face a scenario where potential vulnerabilities within the software supply chain becomes an afterthought until an attack occurs. Security leaders are aware of supply chain risks and know that it’s vital that code is trustworthy before it goes into the pipeline. They also know that secure supply chains give the businesses a competitive advantage since it results in fewer security incidents and builds trust with their customers. However, they have a limited ability to manage supply chain risks amid all of the other security challenges they need to contend with.
Zero-Day Attacks
Supply chain security might not be so worrisome if the threats introduced via third-party software vulnerabilities didn’t develop into real risks further down the road.
Unfortunately, integration of insecure modules, dependencies, and other third-party software resources may lead to zero-day attacks if they aren’t immediately identified and remediated. Zero-day attacks are attacks that threat actors can carry out immediately, usually by taking advantage of known exploitation techniques.
In this sense, supply chain insecurities are especially threatening. Unlike other types of security risks such as misconfigured software, threat actors will carefully research specific exploitation techniques before setting them loose, allowing supply chain attacks that are efficiently targeted.
Because of this, businesses need to be especially wary of supply chain vulnerabilities. Smart organizations know to focus on zero-days vulnerabilities. Of course, managing other common risks is important. But these don’t compare with the potential severity to a zero-day exploit.
Implementing Zero-Day Protections
That’s the challenge. What can businesses do about it?
With implementing zero-day protection being a challenge, businesses need to become aware of the limitations of their existing tools. They need to avoid having a false sense of security in their software supply chain because the tools they’ve previously deployed also effectively manage such threats. Issues related to cost, information silos, incomplete tool implementation, and more may undercut complete supply chain defenses.
A prime example are the vulnerabilities uncovered within Log4j which resulted in zero-day attack risks for thousands of businesses across the world. In reaction to Log4j, security teams had to scan their software pipelines to determine whether they included insecure versions of the library. But if those scans only applied to undeployed versions of applications, they wouldn’t have necessarily detected insecure Log4j implementations within production environments. Instead, they’d only catch risks within development releases.
Additionally, even when scans did detect Log4j vulnerabilities, fixes could not be implemented immediately. It takes time to develop an effective remediation plan to supply chain risks, and the slower you are, the higher your chances of being attacked.
A better approach to zero-day protection is to adopt holistic security protections, like those delivered through a Cloud Native Application Protection Platform (CNAPP). This gives businesses:
- The ability to shift supply chain security left and right to catch and respond to vulnerabilities within development and production.
- Cloud Security Posture Management (CSPM), which helps detect insecure configurations expose supply chain vulnerabilities.
- Cloud workload protection, to provide an extra layer of defense against supply chain risks on a workload-by-workload level.
Supply Chain Security at Work: A Real-World Example
To illustrate how CNAPPs protect applications in practice, in one particular case a FinTech business that is an Aqua Security customer adopted a CNAPP solution to help protect its $20 billion revenue stream from cybersecurity attacks. Before adopting the solution, the business had basic code scanning and CSPM protections, but it lacked workload protection. Worse, its security operations and data sources were siloed. This resulted in an inability to identify and respond to supply chain vulnerabilities that would expose them to zero-day risks.
With a CNAPP however the company centralized and streamlined security. The CNAPP made it easy to understand how supply chain risks impacted actual workloads as well as permit them to react more quickly and cost-effectively when vulnerabilities were detected.
Getting More from Zero-Day Protections
Which factors make CNAPP implementations most likely to succeed? Which open source tools are available to complement supply chain security?
For deeper insights about the real and pressing challenge of zero-day supply chain vulnerabilities, and how you can protect your business against the next SolarWinds or Log4j incident, check out the full webinar How to Remediate Zero Day Attacks 3x Faster.