A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software can then further compromise customer data or systems.

To help software vendors and customers defend against these attacks, CISA and the National Institute for Standards and Technology (NIST) have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

CISA is encouraging users and administrators to review Defending Against Software Supply Chain Attacks and implement its recommendations.

Erkang Zheng, Founder and CEO at JupiterOne, says, "Software supply chains have become a progressively popular attack vector. Part of this is driven by the noteworthy difference in security maturity and operational sophistication between suppliers and consuming organizations. This latest report offers a solid set of implementable recommendations. In particular, I am strongly in support of the recommendation for capturing a software bill of materials. Having a definitive inventory of software components is essential to knowing what vulnerabilities you might be introducing into your environment."

Supply chain security will remain at the front and center for many organizations, says Jack Mannino, CEO at nVisium. He adds, "In addition to traditional software security testing techniques, such as penetration testing and code reviews, a growing number of organizations may be interested in understanding how software behaves through malicious code reviews. These types of tests explore the probability that software contains embedded malware, through malicious code commits or by compromised third-party dependencies."

Kevin Dunne, President at Pathlock, explains, "Scanning code for vulnerabilities and securing the cyber supply chain are essential in preventing unnecessary attacks on critical business systems.  However, it is inevitable that code vulnerabilities will always remain, given the amount of open-source code leveraged by developers today.  As the risk surface increases, it is important to acknowledge that attackers will remain one step ahead in many cases. Organizations need to put in fail safes that can protect critical assets even in the case of a breach.  Companies should make sure to monitor user activity at the application, network, and device level to ensure they can detect any suspicious behavior that may be linked to intruders who have discovered a vulnerability which is a zero-day exploit and has not yet been found by researchers or product vendors."