Securing the software supply chain has become akin to eating better, exercising regularly and getting more rest. Everyone knows that it’s the right thing to do, but the execution often leaves much to be desired.
A number of industry leaders have stepped forward in recent weeks to add a note of urgency to the software supply chain issue. These include leaders in the private sector, academe, tech foundations and government. Their comments, as captured in a review of news sources and first-hand conversations with SiliconANGLE Media, echo a common theme: It’s time to take this threat seriously and do something about it.
“You really think about what is my weak link, what is my vulnerability?” Manoj Nair, general manager of Metallic, a Commvault venture, said during an interview with SiliconANGLE. “That vulnerability is now your software supply chain.”
The warning signs are hard to miss. The SolarWinds attack, which planted malicious code in software used by private and public sector organizations around the world, demonstrated the problems that can ensue when the supply chain is breached. More recently, the Apache Log4j vulnerability reported late last year exposed exploitable holes in the Java logging library, and a significant number of applications and servers still lack security patches.
The difficulty in securing the software pipeline can be seen in recent survey results from one industry. The cybersecurity firm Trellix Inc. reported in April that 74% of U.S. healthcare respondents had not fully implemented software supply chain risk management policies. A number of industry leaders have stepped forward in recent weeks to add a note of urgency to the issue.
“It’s time to take these threats seriously,” Richard Tracy, a 35-year cybersecurity veteran and chief security officer for Telos Corp., wrote in a commentary on protecting the software supply chain. “We know what we need to do and how to do it. It’s high time we got started.”
Government moves toward SBOM
There is no shortage of ideas for dealing with software supply chain security. Thought leaders across public and private sectors have been crafting proposals that provide a useful framework for protection.
One of the key tools is the software bill of materials, or SBOM, and one of the biggest proponents of the SBOM in the federal government is Allan Friedman, a senior advisor and strategist for the Cybersecurity and Infrastructure Security Agency. The SBOM provides a record containing the various components used in software creation.
One year ago, the White House released an executive order that called for wider use of SBOMs. The Office of Management and Budget underscored the Executive Order in March when it pressed federal agencies to adopt a Secure Software Development framework, including SBOMs.
Friedman, who joined CISA last year after helping define the SBOM during his tenure at the U.S. Commerce Department, has been outspoken about the need for government agencies to quickly implement software supply chain security practices.
“It’s critical for the federal government to move toward frequent utilization of an SBOM to keep track of these components,” Friedman said during an appearance in a virtual event in April. “Without transparency, it will be very hard to solve any security problems.”
CISA is not the only federal agency seeking to implement SBOMs. The Food and Drug Administration has supported the Department of Commerce’s software bill of materials initiative since 2018, spearheaded by Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation for the FDA’s Center for Devices and Radiological Health.
In early April, the FDA released draft cybersecurity guidance with a total product lifecycle approach for medical device manufacturers. Schwartz stated her belief that it was critical for device companies to provide a shared inventory of third-party components and has made it clear that the latest guidance will force medical equipment suppliers to address software supply chain security.
“Where we have teeth here actually is manufacturers’ recognize that [following this guidance] is likely to be their best way to get a product on to the market,” Schwartz said in a recent interview. “Not following the guidance is going to create greater complexities probably or potential hardships as far as addressing questions that will come up. That means potentially delays.”
Machine learning threats
Recent breaches and an increased pace of threat activity at the federal government level have brought scrutiny on the supply chain issue, which security experts in the academic world have been warning about for some time. At the Platform Security Summit in 2019, Mark Sherman, technical director of the Cyber Security Foundations group in the CERT Division at the Carnegie Mellon University Software Engineering Institute, delivered a lengthy presentation on growing risks in the software supply chain.
Sherman noted concerns around exposure inherent in open-source software and endorsed initiatives to add SBOMs and other critical tools to the process. Last year, the Carnegie Mellon academic warned that the machine learning supply chain could be compromised with bad training data. His concerns specifically involve growing advances in technology for deep fake videos and the ability of malicious actors to co-opt applications and training sets for nefarious purposes.
“There is not a lot of harm yet, but you can envision how this tech might be used for other kinds of attacks as the technology matures,” Sherman said during a presentation at the Ai4 Cybersecurity 2021 Summit.
In addition to Sherman’s research, representatives from several educational institutions have developed an intriguing supply chain tracking solution under the auspices of the Cloud Native Computing Foundation. In March, the CNCF announced that it would accept the in-toto project as an incubating initiative. In-toto, derived from the Latin phrase meaning “entire or whole,” is a framework for cryptographically ensuring the integrity of the software supply chain.
Among the group of academics behind in-toto are Justin Cappos, a professor in the Computer Science and Engineering Department at New York University, and Santiago Torres-Arias, assistant professor of electrical and computer engineering at Purdue University. Cappos, who was named by Popular Science as one of the “Brilliant Ten” scientists under 40, believes that in-toto would have greatly minimized the damage ultimately caused by the SolarWinds supply chain breach.
“We would have made it much harder for the [SolarWinds] attackers and most likely would have stopped the attack,” Cappos said in a 2021 interview. “In-toto definitely can protect against this. It’s very possible to catch it.”
In-toto is a concerted effort to get at the root of supply chain security to create a better understanding of the origin for any piece of software. This approach has already been implemented for the U.S. produce market. The FDA uses DNA-fingerprinting to track farm-sourced romaine for E. coli outbreaks. Why can’t this be done for software as well?
“Securing the software supply chain is an interesting challenge, mostly because we still don’t fully understand how things are made,” Torres-Arias said during a Kubernetes podcast from Google. “The fundamental limitation with the way we make software is we don’t have efficient ways to communicate the trust information or make trust assumptions about the things we consume. Everything is in the realm of the ethereal.”
The journey from ethereal to tangible will require new tools and techniques to provide greater safety and security for enterprise software. Two additional solutions in this area involve verified reproducible builds and an Open-Source Program Office, or OSPO.
David Wheeler, director of open-source supply chain security at the Linux Foundation, has been an advocate for verified reproducible builds. SolarWinds’ Orion proprietary software became a threat when its build system became subverted. The goal of verified builds is to counter that kind of attack.
“The idea here is that if you can rebuild from the same source code, and the same tools, and so on and produce exactly the same resulting executable package with multiple different independent efforts, it’s much less likely that all those build processes were subverted,” Wheeler said in a presentation at InfoQ Live in February. “There’s been a lot of progress towards making this a reality.”
The OSPO is designed to oversee how a business creates or contributes to free software. By organizing a bureau of open-source experts within an organization, the group can establish visibility and manage the use of open-source tools while limiting security exposure as a result.
In the most recent development, Red Hat Inc. previewed a software supply chain security pattern to build and validate software configurations in complete stacks as code. The announcement was made during the company’s Summit event in mid-May and will be managed by Kubernetes through OpenShift Pipelines and GitOps. Red Hat also announced a content signing technology feature as part of updates to the Ansible Automation Platform.
“Automation is key because everything is moving at a rapid pace,” Kirsten Newcomer, director of cloud and DevOps strategy at Red Hat, said during a media briefing at the Red Hat Summit. “You need to think about how you can automate the supply chain.”
Could another significant breach of the software supply chain happen again? Thought leaders in the cybersecurity field make it clear that the danger is ever-present. Future damage from supply chain hacks will depend on how each organization seeks to understand what software tools are being used and where they came from. That will take an evaluation process and, ultimately, the adoption of many of the protection tools under consideration today.
“Software is under attack via vulnerabilities in the software as it’s deployed and also in the supply chain — that chain from the developer’s fingers and head, somewhere all the way through to where it’s deployed,” Wheeler said in his February presentation. “If you care about security, then you evaluate the software to decide if it meets your requirements.”