December 2, 2023
Uncategorized
Leave a comment

CySec – Software Supply Chain Security

A new job application is sometimes like a foray into a new aspect of IT. This happens often if you are an IT worker keen on living on the cutting edge!

I recently researched Software Supply Chain Security (SSCS) for a new job application and it was enlightening. An executive order on Cybersecurity was released in 2021 by the US presidency under President Joe Biden. The background to this was a severe cyberattack in 2020 which used a sophisticated method to hack into the Solarwinds customer base. This was termed to be a software supply chain attack! The hackers used a supply chain attack to insert malicious pieces of code into the Solarwinds Orion framework.

What does this mean ?

This means that hackers hacked into your vendor and inserted malicious code into your vendor’s code which you then installed thinking it’s from a trusted source. Think of this as code coming from such a trusted source that you would think it’s secure. So for example imagine Microsoft sending a software update with malicious code. It would be funny, wouldn’t it!

But this is exactly what happened. Hackers basically hacked Solarwinds and inserted bad code into it. This got spread into the Solarwinds customer base due to which the customers got hacked.

This happened a while ago but as a result, the executive order by the US presidency asked for measures to be taken to protect the ‘supply chain’ of software. So what then is the supply chain of software? This refers to the phenomenon that whichever software you buy is composed of not just your vendor’s code but ‘other’ code and ‘other’ software components that your vendor has used. Consider this to be layers upon layers of different software components which are used by your vendor and then end up being bought and installed by you.

So, what is one step to secure the supply chain of software ? It is a Bill of Materials of that software. An interesting concept indeed. SBOMs. Software Bill of Materials which your vendor will provide to you. This is going to convey to you what are all the components of the software which you bought. You can then use that detailed SBOM to check for any security issues. This is just one step. There are now tools being sold to secure the software supply chain.

Reference Link:

<a href="https://fossa.com/blog/sbom-examples-explained/ https://fossa.com/blog/sbom-examples-explained/ <- This link gives an example of each in JSON and describes the components of SBOM

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ <– The presidential order

Comment