Table of content
A software supply chain is a logistical pathway that covers anything required to build a software artifact. It is the assembly line encompassing everything from source code writing at the development stage, CI/CD pipelines, and production deployment. This includes software components such as code, binaries, and where they come from, like repositories and package managers. The new threats affecting the software development lifecycle can target any of these attack surfaces and have an impact on many downstream operators at once.
This is why it is really important to make sure that we put all our effort into securing each link of the chain because a single failure can have a very large impact radius. A textbook case is the SolarWinds attack: this is one of the worst-case scenarios, as the hacked system was utilized with tens of thousands of high-profile clients, including the military and other government departments, with high-privilege access on the networks it was installed on.
The software supply chain is similar to other activities or industries. Some resources are consumed, then transformed, through a series of steps and processes, and finally supplied as a product or service to a customer. In software, the raw materials are common libraries, code, hardware, and tools that transform code into a final deliverable. This deliverable can be deployed as either a user-facing application, a service, or another package artifact that is included as a dependency, part of a different product. In order to produce the final “web application” for a customer, we need to transform (compile) a source code and consume information from third-party services. The source code itself depends on external libraries, which are produced from another code, etc.
The main concern when a provider falls victim to a software supply chain is the downstream propagation of the compromised code or components. The more links in the chain, the larger the attack surface and the easier for an exploited vulnerability to go unnoticed. When performed successfully, an attack of this kind can affect all the provider’s final customers at once, with potentially devastating consequences in terms of reputation and liabilities. Security must be taking into account these new kinds of attacks targeting build and deployment systems. In particular, it has to make sure third parties (including software, hardware, services, etc.) cannot be used as a gateway to sensitive systems by attackers.
Like traditional security, it is almost impossible to secure everything, especially as new kinds of software supply chain attacks are being discovered continuously. With Infrastructure as Code (IaC), threats in the software supply chain now potentially target not just software and applications, but the underlying infrastructure too. Upon execution, a supply chain attack can target you directly, or it can target any upstream element (like external dependencies or provided services), so you become a victim, either by directly suffering the attack or by becoming a supplier of compromised resources.
Below is an illustration of how software chain attacks happen and can paralyze the entire software chain:
You can make reference to this article on supply chain attack: 6 steps to protect your software supply chain which will explain how you can harden your supply chain and protect yourself against attacks.
Read also about Google's SLSA Framework to assess software artifacts provenance.