Google LLC today released a report that explores the challenges in defending the software supply chain on the second anniversary of the now infamous hack of SolarWinds Worldwide LLC.
Since SolarWinds, governments and industry have made important strides in addressing issues, but the report finds that there has been a sharp increase in software supply chain attacks across almost every sector. Software supply chain attacks are now the second-most prevalent initial infection vector, and Google argues that critical infrastructure owners and operators should take measures to address related risks.
Topping the report is the need to take on additional open-source security responsibilities. Open-source software has become an increasing focus for hackers, meaning that entities that benefit from its use hold a greater responsibility in securing the supply chain.
It falls upon open-source users to assess the quality of dependencies they consume and ensure they have suitable mechanisms to receive and ingest new information on vulnerabilities when they are discovered. Log4j is highlighted as an example that brought the challenges of using open source into focus as the community struggled to respond to the event and organizations were found to lack the basic tools they needed to assess and mitigate the problem.
Highlighted in the report was the desirability of using the Supply-chain Levels of Software Artifacts or SLSA framework, a checklist of standards and controls to prevent tampering, improve integrity and secure packages and infrastructure in projects.
It’s noted that attacks such as SolarWinds and Codecov were fundamentally different from traditional software attacks that rely on code vulnerabilities or privilege escalation. Although there has been a heavy focus on software bills of materials, Google argues that SBOMs fail to provide any provenance information to detect build tampering, which was the root cause of the attacks.
The SLSA framework, if implemented correctly, can substantially reduce every organization’s attack surface. The report strongly encourages governments to provide incentive for its adoption.
Finally, the report argues that there’s a need for a holistic approach across the ecosystem to strengthen defenses against software supply chain attacks. Although individuals and organizations flag discoveries and rally the community to respond, Google argues that this is an ad hoc system that isn’t sustainable in the long term.
Instead, the report argues, there’s a need for a common strategy across government, industry, academia and the open source community to equip all stakeholders with the tools they need to immediately and effectively address software supply chain risk.
Suggestions include adopting best practices and standards for cyber hygiene, building a more resilient software ecosystem and investing in the future. “Our approach to supply chain security is rooted in a basic principle: We defend better together,” the report concludes.