Extended Software Supply Chain Risk Management


Supply chain issues dominated the headlines, from raw material and labor shortages to shipping delays and manufacturing issues. But there is another type of supply chain that is also increasingly under threat: the cloud supply chain.

Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. In the last 18 months, 79% of companies experienced at least one cloud data breach and 43% reported 10 or more breaches during that time. And any business, in any industry, is vulnerable.

However recent violations have high awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, threats may increase. So what’s at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siled operations, and lack of knowledge about software assets, all of which boil down to poor risk management.

But there is good news: gaining a better understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development lifecycle can reduce risks and challenges.

Understand threats and types of attacks

Recent supply chain studies have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extensive operating environment makes it extremely difficult to manage, not to mention vulnerabilities and insecure configurations.

So what does it look like when your cloud supply chain is under attack? Some attacks compromise the source code. In the last year PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that went undetected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, on the other hand, occur when attackers prey on vulnerable dependencies, also injecting them with malware.

Build pipeline threats are perhaps the most damaging types of attacks, as compromised code is transformed into an executable format. During the SolarWinds Attack, for example, a cybercriminal compromised the build process to insert corrupted Sunspot malware into update packages. SolarWinds did not detect the malware until much later. While the nature of these attacks may differ, one overarching strategy can prevent them: a better understanding of what’s under the hood of your cloud.

Three phases of protection: assessment, standardization and partnership

Organizations can reduce their cloud supply chain risk by developing a deep understanding of each element of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number perform weekly assessments and about 58% assess their posture once a month or less frequently. This leaves the door open for bad actors.

To protect themselves, it’s essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all the components in the technology stack. By doing so, enterprises can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attacks.

Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology (NIST) cloud provider verification framework can serve as a starting point, but companies should adapt the steps outlined by NIST to their development workflows and processes.

The right partner can also play a key role in risk management, especially for small businesses. While mega-cloud providers offer a solid foundation for developers to build secure products, alternative cloud providers can offer something more: a concierge-style partnership that ensures businesses aren’t alone when it comes to security. .

For example, Akamai partners with the HackerOne Bug Bounty program, which has thousands of ethical hackers performing penetration testing on their operating environment and products. In addition, Akamai offers security controls and protecting against supply chain risks by analyzing our technology stack.

Create a culture of safety

As an industry, we are currently in reaction mode. Attacks are on the rise and companies are not taking enough proactive measures to prevent disasters. But as reliance on the cloud continues to grow, no business, large or small, can afford to take that gamble.

Safety starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes several departments: purchasing, IT, software engineering, development, release, change management, operations. It’s really everyone’s job to get it right.

About the Author

As Senior Director of Information Security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai’s cloud computing operations. Zhou leads a team of security professionals covering enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to this role and has previously held CISO roles at Evive and Transworld Systems.


Comments are closed.