This summer, cyber professionals are convening at two important gatherings: RSA and BlackHat. At both events, participants are putting a spotlight on the importance of the security of the software supply chain. IQT has invested in the field of software supply chain, and more broadly, application security for many years, including investments in Veracode, Tenable, Sonatype, Reversing Labs, and Contrast Security, among others. IQT conducted an extensive survey of the global software supply chain market that we shared with our government partners in 2019 and continue to make new investments in the key innovators in the field.
As a country, it is imperative that we know what’s in the software we rely on to run critical infrastructure and national systems. We must work to ensure that software is free of vulnerabilities our adversaries could exploit.
What is the software supply chain? Consider the hardware supply chain that includes raw materials from all over the world, assembled in factories into component parts, then final products before being shipped to consumers. Hardware manufacturers must keep track of the origin of each part , the security and quality of their suppliers, the integrity of their factories, and the delivery of final product to customers.
Similarly, software manufacturers also have a supply chain to manage and protect. Applications sold to consumers or enterprises consist of thousands or millions of lines of source code, some created by the application provider and some assembled from open source or third-party software. The proliferation of open source software (OSS) use in commercial applications, including SaaS applications in the cloud and even the cloud itself, has resulted in tremendous complexity of the software supply chain. It’s well known that complexity is the enemy of security.
According to the Linux Foundation, between 70-90% of modern software is composed of open source software. There are millions of open source libraries available in public repositories. Oversight into who contributes to those libraries and who is responsible for keeping them updated and secure is not clear. The result: open source software is a growing potential attack vector that malicious actors could use as a backdoor to gain access to sensitive information and systems of private and governmental organizations.
According to Sonatype’s 2021 report “State of the Software Supply Chain”, software supply chain attacks increased by 650% from 2020 to 2021. Earlier this year at the Global Cyber Innovation Summit in Baltimore, MD, Katie Gray, Senior Partner at IQT and investment lead for the Cyber Practice, facilitated a conversation among a panel of experts on the topic, including:
- Jim Higgins, CISO at Block
- Clark Smith, Head of Engineering and Architecture Practice – Cyber Security at Citi; and
- Yuriy Bulygin, Founder & CEO, of Eclypsium.
The panel highlighted the concerns of large organizations that are both consumers and producers of software. In addition, they touched on the vulnerability of not just software, but also of firmware, the embedded software that runs under the operating system that controls hardware devices. One example of a recent attack on firmware was the destruction of part of the Viasat satellite communications infrastructure at the start of the war in Ukraine, attributed to Russian actors. Other high-profile software supply chain attacks in the last year include the SolarWinds attack and the vulnerability discovered in the popular Log4j open source library, both of which caused breaches across industries and caused thousands of organizations to scramble to secure their systems.
We saw at RSA Reversing Labs’ new survey of software executives, technology, and security professionals’ perspectives about supply chain attacks and the risk posed by software tampering. It showed that while 98% agreed that third-party software using OSS increases security risks, only 37% said they have a way to detect software tampering across their supply chain. Furthermore, only 7% do it at each phase of the software development lifecycle and 54% said their firm knowingly releases software with potential security risks.
One way to address this growing threat is the Software Bill of Materials (SBOM). The SBOM is an inventory of all the source code that is used to assemble an application and can be used by consumers of software to understand what’s running in their organizations. It’s especially important for organizations to understand if they might be exposed once a vulnerability, like the one in Log4j, is discovered. SBOM was a key element of the Biden Administration’s cybersecurity executive order in May 2021 and will likely require companies selling to the federal government to provide an SBOM in the near future. Several IQT portfolio companies offer SBOM, including Sonatype and Contrast Security. Right now, according to the same Reversing Labs survey, just 27% of software firms generate and review SBOMs.
IQT is also investing in companies that are focused on other ways of addressing software supply chain security. IQT Labs, the open source capabilities shop of IQT, is creating open source software prototypes, investigating approaches to protect the software supply chain, and surveying practitioners to see what they think about the risk/reward trade-offs of open source code reuse. Open source projects, such as Sigstore and SLSA enable organizations to better document the source code chain of custody and implement controls to prevent tampering, improve integrity, and secure packages and infrastructure.
The conversation on Software Supply Chain Security is just beginning and we have a long way to go. Katie Gray will be continuing the conversation at the Billington Cybersecurity Conference on the panel “Enhancing the Security of Open Source Software and the Supply Chain” in Washington, D.C. on September 8. We hope you’ll join the conversation and connect with us on LinkedIn or through email.