Supply chain security has been the hotbed of discussion on national security ever since the disclosure of the SolarWinds attack. If there's a common agreement on SolarWinds, it's that it served as a much-needed wake-up call.
So much so that the White House released an executive order to improve the security posture of the United States when it comes to software supply chains. This executive order emphasizes that “the development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack and adequate controls to prevent tampering by malicious actors.”
Indeed, the web supply chain is one of the biggest security weaknesses of enterprises today, and it’s easy to understand why. Take, for instance, a company that provides a chatbot tool used by thousands of different websites. If attackers manage to breach this company, they can inject their malicious code into the chatbot’s original code and every company that is running the code will start unknowingly serving the malicious code to its users.
It's no wonder that this approach is popular because it scales well. If the attackers manage to change the original source code, they can basically inject arbitrary code into multiple websites at once without ever having to directly breach their targets.
It’s also not surprising that the White House’s executive order goes into detail on the steps needed to enhance web supply chain security. Among the requirements, “employing automated tools or comparable processes to maintain trusted source code supply chains, thereby ensuring the integrity of the code.” This clearly identifies the need to ensure some level of security within the web supply chain and prevent malicious code from being injected through third parties.
However, ensuring the integrity of the code throughout the entire web supply chain is no simple task, especially considering that the average website today is using 35 different third-party components, each of these containing its own fourth parties. These supply chains run deep and wide, making it extraordinarily difficult for organizations to remain in control, more so when each of these components is constantly mutating.
Click here to hear more about source code in the supply chain:
Fortunately, unlike what happens in other supply chains, the web provides enough building blocks to actually achieve a good level of security and mitigate most of the possible attack vectors using a security-in-depth approach. Currently, the best approach seems to be gaining real-time visibility and control of the behavior of each third-party component. So, by monitoring each of their website scripts, organizations can, at any given moment in time, be alerted when any type of suspicious activity occurs, for instance, when a live chat plug-in suddenly starts tampering with a payment form.
But, visibility is only half of the solution. An in-depth approach requires having control of all these different behaviors and being able to restrict them. A live chat plug-in should never be able to tamper with a payment form, nor should any third-party plug-in be able to send sensitive data out to an unknown destination. Yet, by default, there’s nothing preventing these malicious behaviors.
To effectively gain control of their web supply chains, organizations must be able to define a set of ground rules that truly enforce how each of their website components can and cannot behave. As a result, they should be able to automatically block potentially malicious behaviors and ensure the integrity of the code.
While this executive order is a step in the right direction, the road ahead is a long one. According to an audit in December 2020, in a sample of 23 large federal agencies, 14 had not implemented any of seven recommended supply chain risk management practices.
Nonetheless, this executive order will hopefully bring awareness and help organizations prioritize how they are addressing supply chain security since it provides much-needed clarity on how to effectively minimize supply chain risk. And, while it’s difficult to accurately predict how long it will take public organizations to secure their web supply chains, we see positive signs coming from the private sector, where security teams are implementing solutions that provide visibility and control over their web supply chains. One thing is certain -- the security of the private data of billions of users globally will depend on how quickly and effectively organizations secure their web supply chains.