4 minute read
tbtech magazine August Edition
In the broad sense, a supply chain is anything and everything that is needed to create and deliver a product to the end user. So, a software supply chain is no different – the only nuance being that it refers to code and applications, and everything involved in their development and delivery
Just as an automobile manufacturer can have a broad network of suppliers and parts, a software vendor can depend on a complex variety of code, tools, and resources to produce their product.
Advertisement
The key concern here is that a defect or weakness anywhere in a supply chain can impact any entity further down the supply chain (often referred to as “downstream”).
Laying the foundation: software supply chain security.
This has always been a supply chain concern though, so why is it so top of mind today in the software industry?
As the digital transformation has us depending on technology more than ever to run our businesses and daily lives, the race for technology companies to get their products to market is very competitive. As a result, these companies focus more on the innovation of what makes their products unique, and less on “reinventing the wheel.” In other words, software has shifted from being built, to being assembled – each piece coming from different entities that specialize in making that piece. For example, an eCommerce company won’t waste time building a database; an online banking institution won’t waste time building user interface tools; an IoT company won’t waste time building a custom operating system. Instead, they’ll all turn to third parties, open source projects, and contractors to provide these pieces.
In fact, Synopsys’ latest Open Source Security & Risk Analysis
(OSSRA) report found that an average of 97% of all software written contains at least some open source code. Of the 17 industries represented in the report, Computer Hardware and Semiconductors, Cybersecurity, Energy and Clean Tech, and Internet of Things (IoT) contained open source in 100% of their codebases. The remaining verticals had open source in 93% to 99% in their codebases. Even the sectors with the lowest percentage— Healthcare, Health Tech, Life Sciences—had 93%, which is still very high. It’s clear that open source really is everywhere.
But, what happens when an open source component contains a vulnerability? Or maybe the maintainer’s account was hacked, and malicious code was inserted? That means the IoT company is using an operating system with a critical vulnerability, opening the end-user to having their smart thermostat or WiFi camera to potentially be hacked. The issue began within the open source component. It was implemented by the IoT company into their product, which was sold to the end-user,
who ended up being attacked. This is the very essence of a software supply chain concern. According to the 2022 OSSRA findings, 100% of codebases in the IoT sector contained open source, and an astounding 92% of the audited code in this sector was open source. Troublingly, 64% of the IoT codebases also contained vulnerabilities.
Similarly, the Aerospace, Aviation, Automotive, Transportation, and Logistics sectors had open source in 97% of its codebases, and 60% of the total code was composed of open source. Sixty percent of these sectors’ codebases had open source vulnerabilities.
Here are two real-life examples of software supply chain concerns:
1. SolarWinds. Perhaps one of the, if not the, most notable software supply chain attacks. An internal password was leaked online, which was used by attackers to gain access to SolarWinds’ build systems. This is where the supply chain attack began. Attackers inserted malicious code into the upcoming
