Software supply chain threats: The software supply chain is heavily reliant on code developed by third-party developers, something only likely to increase with the advent of AI.Brian Fox, co-founder and CTO of open-source software security vendor Sonatype, says that “enormously complex” software supply chains pose a growing threat.”Too many organizations have no idea what open-source packages, transitive dependencies, AI models, or community-maintained libraries they rely on, let alone who maintains them or whether they’re secure,” Fox tells CSO. “There’s a persistent and growing trend in software supply chain attacks targeting developers and CI/CD environments.”Attackers are planting malicious code on public repositories such as npm and PyPI, often disguised as useful packages, as a means to compromise systems, steal data, or provide backdoor access during development or deployment.”Attackers are refining data exfiltration-focused malware to harvest secrets and credentials, enabling downstream attacks like supply chain breaches or cloud account takeovers,” Fox warns.Lack of visibility is compounding a growing problem, according to Nick Jones, head of research at cybersecurity consulting firm Reversec.”Attackers compromise open-source projects supported by underpaid and under-resourced individuals, or startups where security isn’t a priority, in order to insert malicious code into packages used downstream by much higher value targets,” Jones says.
Lessons not taken from the SolarWinds breach: Software supply chains weaknesses were exploited in the high-profile 2020 SolarWinds hack, but five years later the same issue plagues the industry.Once a software development pipeline itself is compromised, every customer downstream inherits that risk.The best defense is to get a clear picture of your entire software supply chain, its assets, tools, pathways, and controls, and then work to ensure the proper guardrails are in place, according to Joe Nicastro, field CTO at application security firm Legit Security.”We still see build pipelines misconfigured, third-party code and packages flowing in without checks, and SBOMs treated as one-off documents instead of living inventories,” Nicastro tells CSO.Software bill of materials (SBOMs) allow an organization to understand what it’s really running under the hood, down to the individual libraries and packages.”[SBOMs are] being pushed by numerous industry organizations, including CISA, and are a requirement under the EU Cybersecurity Resilience Act (CRA), but every software vendor has to produce their own SBOMs for their products, and so industrywide has been slow so far,” Reversec’s Jones says.
Lack of visibility: Few organizations have comprehensive visibility into their entire supply chain much less the ability to monitor the cyber hygiene of every supplier and their downstream partners.SecurityScorecard found that only 21% of those surveyed were able to say at least half of their extended supply chain was covered by cybersecurity programs. Only a quarter (26%) of organizations incorporate incident response into their supply chain cybersecurity programs.”Breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action,” says Ryan Sherstobitoff, field chief threat intelligence officer at SecurityScorecard.
Countermeasures: “Vendor diligence must go beyond questionnaires,” says Scott Weinberg, founder and CEO of managed IT services provider Neovera. “Business associate agreements need more diligence. CISOs should require evidence of controls (MFA, logging, EDR), audit rights, and proof of breach notification timelines.”Legit Security’s Nicastro adds: “To address this issue, organizations must impose clear cybersecurity maturity expectations on all partners, including mandating penetration tests, annual assessments, phishing simulations, tabletops, and resilience exercises.”
Countermeasures: “Vendor diligence must go beyond questionnaires,” says Scott Weinberg, founder and CEO of managed IT services provider Neovera. “Business associate agreements need more diligence. CISOs should require evidence of controls (MFA, logging, EDR), audit rights, and proof of breach notification timelines.”Legit Security’s Nicastro adds: “To address this issue, organizations must impose clear cybersecurity maturity expectations on all partners, including mandating penetration tests, annual assessments, phishing simulations, tabletops, and resilience exercises.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4051668/71-of-cisos-hit-with-third-party-security-incident-this-year.html
