Following the end of 2020 software supply chain attacks on SolarWinds that impacted multiple government agencies and private sector companies, President Biden issued a 2021 executive order asking for a comprehensive review of all government supply chains.
Within the order Biden calls for the Secretary of Commerce and Secretary of Homeland Security to coordinate with heads of appropriate agencies to report on the security and integrity of critical information and communications technology software supply chains. Specifically, President Biden requests:
"The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the heads of appropriate agencies, shall submit a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base (as determined by the Secretary of Commerce and the Secretary of Homeland Security), including the industrial base for the development of ICT software, data, and associated services."
Software Supply Chain Attacks are on the Rise
In our sixth annual State of the Software Supply Chain Report, we documented a 430% increase in software supply chain related attacks. While our report was release well before the SolarWinds attack made headlines, our data reveals why Biden's administration is so concerned about attacks on our critical infrastructure, including software.
In a “normal” breach pattern, time between a vulnerability disclosure and a breach is about three days, when it comes to open source software packages. This is when a vulnerability is discovered, appropriate processes are taken so project owners can remedy the issue and the known vulnerability is then shared publicly along with a fixed version of the code.
In a case where adversaries are injecting malicious code into containers or open source packages, those breaches can occur as soon as the code is deployed into production and into your customers environment . Adversaries know what the malicious code or backdoor is, can spot that malicious code being distributed and can then initiate their attack path.
Software Supply Chain Attacks Are Preventable
Over the past two years, I have worked with Gene Kim and Dr. Stephen Magill to understand how high performance software development teams improve security outcomes. A few things are clear from this research. High performance teams demonstrate:
- 15x more frequent deployments
- 26x faster detection and remediation of vulnerable OSS components
- 51% more likely to keep an inventory of all OSS and third-party software components
- 77% more likely to automate the analysis and approval of OSS dependencies
High performance software development teams have mapped their software supply chains, maintain automated checks on the quality of software components and packages moving through them, and update the components to the latest releases on a regular basis. We also know that teams that update their code more often, generally stay more secure. BONUS: high performance development teams also have happier developers with greater job satisfaction.
What does that mean in practice? It means that awareness of software supply chains, the infrastructure supporting them and the components moving through them, can lead to better management of them. Better managed software supply chains result in lower risk, better performance and happier developers.
Deeper Analysis of Software Supply Chains
This is just a start, but by understanding basic best practices like the above, you can protect your organization from software supply chain attacks.
To learn more about my research into software supply chains and what the best software development teams are doing to better understand and mitigate risk within their supply chains, you can download our sixth annual State of the Software Supply Chain report here. The report specifically details the use of open source containers, adversary attacks, government policies and regulations when it comes to software supply chains - and most importantly, what best practices development teams are pursuing to try and minimize the risk around software supply chain attacks.