Lessons Unlearned: The Persistent Threat of Software Supply Chain Attacks
A Growing Trend
Software supply chain attacks continue to plague organizations, raising concerns about the industry’s response to these increasingly sophisticated threats. Recent incidents, such as the unauthorized access to GitHub’s systems and the software supply chain attack on Micro-Star International (MSI), highlight the vulnerabilities that exist within the software development process and the potentially devastating consequences of a successful attack.
Code Signing Certificates as a Hot Commodity
One troubling trend in software supply chain attacks is the targeting of code signing certificates. These certificates are used by software developers to digitally sign their applications, ensuring their integrity and authenticity. However, criminals are increasingly exploiting stolen code signing certificates to sign malware and deceive unsuspecting users into installing malicious software.
For example, the recent attack on chipmaker Nvidia saw the extortion group Lapsus$ utilize stolen code signing certificates to sign malware in Nvidia’s name. Because users are more likely to trust software signed with a reputable certificate, this type of attack can quickly propagate and cause widespread damage.
Protecting Against Code Signing Certificate Attacks
While organizations like GitHub were able to mitigate the damage by swiftly revoking compromised certificates, there is a pressing need for a comprehensive approach to prevent similar incidents in the future. This approach should include a combination of policy, process, and technology to enhance software supply chain security.
Implementing Strong Certificate Policies
Organizations should establish robust certificate policies that align with industry standards and government regulations. This includes using FIPs and/or Common Criteria-certified solutions and hardware for key generation and protection. Additionally, implementing key rotation strategies, where unique keys and certificates are used, can reduce the impact of a security breach.
Layering on Process Controls
Process controls are essential for securing keys and regulating access to them. Organizations should assess their signing processes, control access to keys and certificates, and implement approval workflows or scheduled release windows to add an extra layer of protection. Additionally, ensuring vulnerabilities are not introduced from open source libraries before signing code is crucial.
The Role of Technology
Deploying technology solutions can help enhance software supply chain security. Deep and comprehensive binary software scanners can detect threats such as malware insertion, private key leakage, and other vulnerabilities in the final software image. Generating a complete software bill of materials (SBOM) at the time of signing is also crucial for monitoring changes over time and meeting industry requirements.
For organizations that lack the expertise to build in-house solutions, partnering with a trusted software supply chain security provider can offer specialized knowledge and help secure various stages of the software supply chain. Managed signing practices can automate the signing process without exposing private keys and certificates, reducing risk and enforcing policy.
Editorial: A Call to Action
The persistence of software supply chain attacks highlights a failure to internalize the lessons of past incidents. The repercussions of these attacks extend far beyond the immediate victims, as they erode trust in the software industry and expose users to significant risks.
It is imperative that businesses involved in the development of critical software take proactive measures to safeguard their software supply chains. This requires a multifaceted approach that encompasses strong policies, robust processes, and cutting-edge technology. Ignoring the potential impact of software supply chain attacks is no longer an acceptable option.
Expert Advice
To organizations seeking to enhance their software supply chain security, the following recommendations should be considered:
- Establish and enforce strong certificate policies that align with industry standards and government regulations.
- Implement key rotation strategies to reduce the impact of a security breach.
- Implement process controls to secure keys and regulate access to them, including assessing signing processes, controlling user access to keys and certificates, and verifying the integrity of open source libraries.
- Deploy technology solutions, such as deep and comprehensive binary software scanners, to detect threats and vulnerabilities in the software.
- Create a complete software bill of materials (SBOM) at the time of signing to monitor changes over time and meet industry requirements.
- Consider partnering with a trusted software supply chain security provider to ensure expertise and secure various stages of the software supply chain.
In conclusion, the repeated success of software supply chain attacks should serve as a wake-up call to the software industry. By learning from past incidents, adopting best practices, and prioritizing security at every stage of the software development process, organizations can help protect themselves and their users from the growing threat of software supply chain attacks.
<< photo by RF._.studio >>
The image is for illustrative purposes only and does not depict the actual situation.
