Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.

EO 14208: 6 Steps to Improve Supply Chain Security

EO 14208: 6 Steps to Improve Supply Chain Security

Biden’s presidential cybersecurity Executive Order (EO 14028) provides valuable guidelines for the federal government and its suppliers to reduce cybersecurity risk and improve the overall national security posture. Focusing on the modernization of strong security standards and their implementation, the EO was issued following a number of data breaches that had severe global consequences. These included the SolarWinds attack and the Kaseya VSA ransomware attack.

The danger of such attacks goes beyond the direct impact on the attacked company. Rather, the attacked companies are part of the supply chain of many other organizations. Thus, the customers of the attacked companies are at risk as well. In the case of SolarWinds, for example, this meant Fortune 500 companies, US telecommunication companies, the US Military and the Pentagon.

As a result, the expectation is that these EO guidelines will have a positive impact on global supply chain security. By impacting the federal government’s suppliers, the EO will also secure all the other customers of these suppliers, and will create requirements for the supplier’s suppliers. This domino effect is expected to turn these EO guidelines into a global standard across the private and public sector.

The following post will review the top six security best practices for security professionals looking to efficiently secure their supply chain and SBOM (Software Bill of Materials). But first, let’s understand what supply chain attacks are.

What are Supply Chain Attacks?

A supply chain attack is a cybersecurity attack on the organization through a third-party or external partner that is part of their supply chain. The software and product supply chain includes commercial software packages, open source software, systems, programs, IoT components, and more. These third party components pose a risk to the value chain, because vulnerabilities they have might enable attackers to access the products and devices that use them. They may also help the attackers to gain access to other organizational resources.
For example, in early 2020, hackers, using malware, attacked the Solarwinds’ Orion platform. The attack affected and breached Solarwinds’ customers like the federal government and many Fortune 500 companies. The impact of the attack went beyond the direct attack on Solarwinds. All companies that used Solarwinds as part of their supply chain became vulnerable as well.

Why are Supply Chains Risky?

Organizations today rely heavily on third-parties, vendors and partners to help them design, develop, and distribute their products. Software supply chain attacks exploit the trust between companies and their suppliers to gain access to victims’ devices and systems.

These types of attack may provide access to sensitive data and functionality without their victim’s knowledge, making them particularly disruptive and destructive. Hackers can bypass “perimeter security” in supply chain attacks since a trusted source allows them to access vulnerable software assets directly.

When products and systems are compromised, they often cannot identify the breach until significant damage, such as data loss, financial loss, or disabling of devices, has already happened.

Amnesia:33 is an example of supply chain vulnerabilities that could lead to a supply chain attack. It is a list of 33 security flaws in four open-source TCP/IP stacks used as third-party software components in many commercial products, from smartphones, scanners and game consoles to sensors, printers and routers all the way to medical and industrial equipment. These vulnerabilities could put at risk the entire device and ultimately also users, if not mitigated.

Supply chain attacks could be the weakest link in an organization’s security posture.

How Can Organizations Ensure Supply Chain Security?

To mitigate the supply chain risk and ensure software supply chain security, organizations must validate the security of both their own and their vendors’ code, a practice known as Cyber Supply Chain Risk Management (C-SCRM). In other words, organizations should not trust the security policies of any third-party in the supply chain. Instead, they should validate software security at all times. Otherwise, they risk breaches that could result in disastrous financial, PR and legal implications.

To help organizations ensure software security, various regulatory requirements define the standards necessary for a secure product. For example, WP.29 defines the cybersecurity requirements for autonomous and connected vehicles, IEC-62443 standardizes cybersecurity for industrial systems while the FDA has the Premarket Submissions for Management of Cybersecurity in Medical Devices. In addition, commercial products and tools can help organizations analyze, prioritize and contain CVEs and zero-day threats from third parties as part of their overall risk posture.

6 Best Practices to Ensure Supply Chain Security

The presidential Cybersecurity Executive Order prioritizes the need to improve software supply chain security. This will be done through:

– Establishing security standards for software
– Creating greater software security visibility for developers and the public
– Developing a label to determine whether software has been securely developed
– Driving the market to build security from the ground up

Here are six guidelines and tips that can help you implement the EO recommendations and reduce the attack surface of your supply chain through C-SCRM:

1. Shift Left Security
Integrate security into your SDLC methodologies or as part of your CI/CD process early in the development process. This will help you identify and mitigate risks before they have a significant impact on your product or your development resources. By automating security analysis and management, risk mitigation becomes more efficient and the product becomes more secure.

2. Independently Validate Your SBOM
Don’t trust your vendors blindly. Instead, validate your SBOM independently. The SBOM (Software Bill or Materials) is a list of all the product’s components, versions and licenses, to enable tracking and product monitoring.
First, review all your applications, licenses and versions in your SBOM. Make sure your SBOM is constantly updated and easy to understand. If you need to create an SBOM, we recommend either OWASP’s CycloneDX standard, or open source SPDX.

Then, run a binary analysis on all the items on the list. Binary analysis looks at the actual code used in your software to identify and detect security risks. This process is more secure than source code analysis, because it analyzes your functioning software or product.

3. Don’t Neglect Open Source Software (OSS) Analysis
Development today relies on open source to improve time-to-market. Otherwise, companies wouldn’t keep up with technological demands. It is, therefore, important to integrate open source code analysis in your ongoing security validations. A Binary Software Composition Analysis (SCA) will detect vulnerabilities in open source code, so they can be mitigated before they affect your product.

4. Manage Vulnerabilities
After identifying vulnerabilities in your continuous, binary analysis, prioritize the risks and set out to resolve them. Work with your development team and suppliers to fix the issues quickly.

Pressure from a customer or the need to meet a business KPI, may compel you to let the engineering team deploy code before they have mitigated the risk. It is best to prioritize risks and manage resources efficiently, to ensure that security issues do not negatively impact your business.

5. Trend Analysis
Monitor your supply chain vulnerabilities over time so you can gauge overall improvement or identify recurring problems. Questions you can ask yourself include:
– Is there a vendor or open source library that constantly makes your product vulnerable?
– Is there a certain recurring security issue that keeps requiring engineering time to fix?
– Which vendors impact your ability to scale development?
– Are there any regulatory requirements you’ve been able to answer more easily over time?

By tracking changes over time, you can mitigate the root cause of vulnerabilities.

6. Maintain a Repository of Approved Components
One way to help your developers implement and use secure software, is to create a repository of approved components and their versions. By knowing which libraries, code snippets and systems have already been validated, engineering teams can develop and release faster. It’s still important to continuously analyze code before deployment, as new vulnerabilities can emerge. However, this repository comprises a more secure database to choose from, helping to increase velocity and reduce risk.

Next Steps

The growing sophistication and number of cybersecurity attacks means that organizations must be more alert than ever to potential vulnerabilities. Biden’s cybersecurity EO has created an opportunity for companies to prioritize securing their supply chain and increasing their security posture. This could save them millions of dollars in overhead needed to deal with a cybersecurity attack and its implications.

To get started with supply chain security, start by analyzing your SBOM. To get a free consultation and see how Cybellum can help you, request a demo.