The software supply chain includes:
Data Delivery Service (DDS)
DDS is a machine-to-machine technology used for publish/subscribe middleware applications in real-time and embedded systems. Managed by the Object Management Group (OMG), DDS plays a key role in implementing a reliable communication layer between sensors, controllers, and actuators. Because it is at the top of the chain, it is easy to lose track of and an attractive target for malicious actors.
In January 2022, Trend Micro Research, TXOne Networks, and Trend Micro™ Zero Day Intitiative™ (ZDI) collaborated with ADLINK Labs and Alias Robotics to identify 13 new vulnerabilities against the 6 most common types of DDS implementations published an entry containing information about sexuality. They found that these new bugs could affect more than DDS itself.
DDS vulnerabilities can be divided into those that affect the network layer or the configuration level. The former can be abused to implement malicious techniques such as denial of service (DOS) attacks, spoofing, and automated harvesting. Configuration-level vulnerabilities can be used to target developers and integrators of DDS systems.
open source components
Developers often copy open source code from shared public libraries such as Github to get everyday components. Why waste precious time writing code to send a message from one field to another when someone else has already done it? That’s why 90% use open source code.
However, many organizations lack insight into their open source dependencies. The unchecked nature of open source code can lead to devastating attacks like Apache Log4j, a widely used open source software. Cybercriminals exploited critical flaws in the Log4j logging framework to inject malicious code and compromise vulnerable systems. According to the FDA, Log4j is estimated to have impacted more than 3 billion of his medical devices that use Java.
system management tools
A version control system manages the actual release and deployment process. In production, third-party and open source production environments host applications. While the system is running, automated operational tools handle routine tasks such as maintaining service levels, starting and stopping scheduled activities, and synchronizing updates. A suite of system management tools keeps production running smoothly and optimizing resources.
Kaseya VSA, a popular technology management software, was hit by the REvil ransomware attack in early 2021. Attackers have exploited a vulnerability in the update mechanism to allow malicious payloads to be distributed via software-managed hosts. The damage caused by the widespread attack extends far beyond the virtual world, forcing Swedish supermarket chain Coop to close its 800 stores for almost a week.
Developers also use purchased software products for database updates, web page templating, testing, and more. These software products can be exploited by security vulnerabilities such as Ripple20. Ripple20 is a series of zero-day vulnerabilities in widely used low-level TCP/IP software libraries developed by Treck, Inc.
The impact of Ripple 20 was magnified by the supply chain. It shows how a single vulnerable component can spill over and affect a wide range of industries, applications, and companies, including Fortune 500 multinationals. JSOF reported that hundreds of millions of devices were affected by the prevalence of software libraries.
How to improve the security of your software supply chain
Clearly, the software supply chain can be exploited at multiple points, increasing the complexity of securing it. To help organizations mitigate supply chain security risks, CISA recommends the following six key steps for her:
- Identify: identify who needs to be involved
- Management: Develop supply chain security policies and procedures based on industry standards and best practices, such as those published by NIST.
- Evaluate: Understand the hardware, software, and services to procure
- Need-to-know: Map your supply chain to better understand the components you source
- Validation: Determine how your organization evaluates your supplier’s security culture
- Evaluation: Establish timeframes and systems for checking supply chain practices against guidelines
Additionally, consider adding software asset management tools that can help you understand what is installed and automate the process of managing and generating a software bill of materials (SBOM).
Finally, the vendor has an integrated cybersecurity platform that supports extensive third-party integrations, giving you complete oversight of your entire software supply chain from a single dashboard. Security capabilities such as software composition analysis (SCA), automation, continuous monitoring, and detailed data collection and correlation are also essential to enable rapid detection, response, and remediation of affected supply chain components.
For more information on managing and mitigating cyber risk, check out the following resources: