New security solutions and ideas are needed to overcome the unique security challenges of software supply chains, according to a panel of vendors speaking on day three of the RSA 2023 Conference.
Omer Yaron, head of research, Enso Security, said that supply chain attacks are still a relatively new area, and “wasn’t around in incident response a few years back.”
Responding to software supply chain incidents is very different to other types of cyber-attacks. Firstly, as these attacks tend to impact many organizations at the same time, it is much harder to get outside help quickly to mitigate these incidents.
In addition, there is variation between the types of supply chain attacks, with exploitation of a vulnerability like Log4j requiring different approaches compared to dealing with a malicious package, for example.
The growing use of open-source code is a particular security concern, said Idan Wiener, CEO and co-founder at illustria, stating “it was never a safe place.”
He added: “We need to think again when we use open source.”
Karine Ben-Simhon, VP customer advocacy ARC at Trellix, concurred, arguing that “as a community we’re not doing enough about it.”
Read more: Computer Science Courses Must Teach Cybersecurity to Meet US Government Goals
Emerging Mitigations
Ben-Simhon urged the cyber community to raise awareness of software security issues among developers and pointed to a researchers forum in Israel that aims to do just that.
She explained that despite the researchers all coming from competitor companies within the industry they do share insights on vulnerabilities and threats. This has led to the creation of a GitHub tool that “allows developers to check whether a package is malicious or not.”
Yaron also urged more internal collaboration between security teams and developers – in particular, for security workers to challenge R&D departments about what they are doing. “Understand the questions you need to ask R&D,” he advised.
Additionally, the panel discussed whether AI tools, including ChatGPT, can help mitigate software supply chain risks. Wiener acknowledged that ChatGPT is capable of classifying malicious code; however, when his team manipulated code to make it behave differently and trick the AI chatbot, it failed to recognize malicious packages. ChatGPT and AI in general is “not there yet.”
Yaron agreed but pointed out that AI tools are still able to help security teams in this area by “creating a lot of processes we now do faster.”
Growing Regulation
There is increasing involvement by the US government in software supply chain security, which is starting to have an impact, according to Nir Peleg, VP BizDev at Scribe Security, a company that is working with the Department of Homeland Security (DHS) in this area.
He noted that President Biden’s Executive Order 14028, published in May 2021, requires federal government software suppliers to produce a Software Bill of Materials (SBOM) – something that is now being enforced.
These rules have since been set out in NIST’s software supply chain security guidance for the wider economy, and “organizations are starting to align to this,” said Peleg.
Additionally, he observed that the US’ National Cyber Strategy is shifting responsibility for software security to developers and producers as part of its security by design goals.
While this is a positive step, Ben-Simhon noted that most of the regulations in this area are focused on who develops it, but very little aimed at consumers – something she’d like to see change.