Article Details

Too many software supply chain defense bibles? Boffins distill advice. How to avoid another SolarWinds, Log4j, and XZ Utils situation. Organizations concerned about software supply chain attacks should focus on role-based access control, system monitoring, and boundary protection, according to a new preprint paper on the topic. The software supply chain refers to the interconnected ecosystem of open source and third-party software, each with its own web of dependencies that may trigger the download of additional components. It’s possible that developers contributing to those components and libraries could, through errors or malicious activity, include dangerous vulnerabilities. When bad code makes it into the software supply chain, the consequences can be deeply unpleasant – as was the case in several recent high-profile cases name-checked in the paper’s title: "Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils." The authors of the preprint paper, boffins at North Carolina State University and Yahoo!, embarked on their study because they feel it’s hard for organizations to pick from the myriad supply chain defense tools in the market. Security-conscious coders certainly have lots of advice to consider. The US National Institute of Standards and Technology (NIST) offers its Secure Software Development Framework (SSDF [PDF]) and Cybersecurity Supply Chain Risk Management Practices guide. CISA has developed a Self-Attestation form. The Open Source Security Foundation developed a software security scorecard. The Cloud Native Computing Foundation offers the OWASP Software Component Verification Standard [PDF], and a Supply chain security framework (S2C2F). If catching up with all of those seems daunting, there’s also the Proactive Software Supply Chain Risk Management Framework that distilled 73 supply chain security tasks from 10 different frameworks. In short, there's a lot of advice for organizations trying to improve their software supply chain security posture. The paper’s authors therefore suggest a ranked list of mitigation tasks based on an analysis of the various frameworks for software supply chain security. The researchers looked at the SolarWinds, Log4j, and XZ Utils attacks as described in 106 incident reports and mapped the adversarial events against 203 MITRE attack techniques. They then referenced those against the recommended advice of the various mitigation frameworks. "For example, an adversarial event is when 'APT29 [adversaries] was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle' which was mapped to subvert trust controls (T1553), occurred at the dependency, and done in the Sunburst introduction phase," the authors explain. The authors also developed a starter kit for organizations that attempts to harmonize the recommendations of the various supply chain security frameworks. In doing so, they have validated webcomic xkcd 927 by creating another framework. "The top five starter kit tasks are: role-based access control (E.3.3) system monitoring (D.2.1), boundary protection (E.3.7), monitor changes to configuration settings (E.3.6), and environmental scanning tools (E.3.11)," the authors state, noting that four of these apply to the software development environment. The authors also found that three tasks were missing from the P-SSCRM and other frameworks that incorporate it. "Thus, software products would still be vulnerable to software supply chain attacks even if organizations adopted all recommended tasks," they state in their paper. To address this, they created identifiers for these gaps in the hope of expanding supply chain framework coverage. These include: These gaps have been acknowledged by the P-SSCRM authors and are slated for inclusion in a future release.