Software security has become one of the more widely discussed and debated topics in the security industry in the last few years, as many software vendors and enterprises both large and small have begun to to focus considerable attention on improving the processes they have in place for producing software. But far less light has been shone on the security of the software supply chain, an increasingly thorny problem in today’s environment.
As more and more software makers and enterprises have turned to third parties, both domestic and foreign, to help produce products more efficiently and cheaply, a slew of new security considerations have arisen. A new report, “Software Integrity Controls: An Assurance-Based Approach to Minimize Risk in the Software Supply Chain,” released today by SAFECode, an independent consortium of ISVs, looked at the threat landscape related to the software supply chain and found that it is generally not well-understood.
“We felt there was a need to look more closely at the software supply chain, because people think about software security as development practices. But when you start to understand how software is put together, the relationship between vendors and suppliers becomes more complicated,” said Paul Kurtz, executive director of SAFECode. “We wanted to unpack that issue and better understand what people are doing in terms of best practices.
“The way the bad guys are coming through the door right now is through the front door, it’s not the social engineering stuff. The supply chain right now isn’t necessarily that big of a threat, but there are a lot of government agencies and large enterprises that are concerned about this issue. How do you know if you’re turning to a subcontractor that someone isn’t trying to subvert the supply chain?” Kurtz said.
There have been plenty of examples recently of attacks coming in through the supply chain that have targeted a wide range of devices. Earlier this year thousands of memory cards distributed with some Vodafone mobile handsets were found to have the Mariposa botnet client on them, and in early June a batch of microSD cards in Samsung handsets was infected with malware. Experts say these attacks, which Veracode CTO Chris Wysopal once dubbed “certified pre-owned” attacks, can be accomplished in any number of ways and with minimal effort or risk of discovery.
One attack vector that has been seen in recent years is for an attacker to pay a low-wage worker in a manufacturing facility a per-piece bounty for each device that is infected during the manufacturing process. This often is done by a worker using a PC that’s infected with a given piece of malware to load the firmware onto the device. If this is done far enough down the supply chain, it can be quite difficult to detect and stop.
The SAFECode study looked at the practices and processes put in place by a variety of organizations, including Microsoft, Adobe and others, and found that there isn’t necessarily a widely accepted set of common practices for securing the software supply chain. Organiztions generally understand that there’s a need for testing, integrity checks, vetting of suppliers and other safeguards, but how and when to implement those methods is one of the major questions.
“This is clearly an evolving art and science. Many firms are cutting the way, but no one has this locked up,” Kurtz said. “No one has it thought through in terms of how you see the potential risk. But there are sizable companies with sizable risk looking at the problem. It’s unfolding in much the same way that the software security problem unfolded. R&D on software testing requires more work.”