Watching your back

Keep an eye out for certain threats that are lurking behind unexpected corners.

Common, varied, and vicious

There are several types of supply chain attacks, according to Fortinet:

1. STOLEN CERTIFICATES

Hackers steal certificates used to guarantee the legitimacy or safety of an organization’s product and push malicious code under the pretext of that organization’s certificate.

2. COMPROMISED SOFTWARE DEVELOPMENT TOOLS OR INFRASTRUCTURE

Hackers introduce security weaknesses in the development process using tools for building software applications. This occurs before the process of creating an application even begins.

3. PREINSTALLED MALWARE ON DEVICES

Bad actors preinstall malware on phones, cameras, Universal Serial Bus (USB) drives, cameras, and other mobile devices. Malicious code gets introduced once the user connects the device to their system or network.

4. MALICIOUS CODE IN COMPONENTS’ FIRMWARE

Cybercriminals put malicious code in firmware, giving them a foothold into a system or network.

Whether it’s a malicious supplier, buggy software, or unauthorized modification in an application’s development or delivery, the threats to any level of your supply chain are disturbingly common. Even some of the largest organizations in the world have bad actors infiltrating partner organizations by posing as new hires. This method enables a malicious actor to gain access through their employer to the ultimate target: a downstream consumer partner.

Applications aren’t exempt

Crucially, applications can also be littered with vulnerabilities just waiting to be exploited. Software developers are first and foremost focused on code functionality. But they’re also up against strict deadlines. As such, there are many components of security in the supply chain software development that may be missing during the design and development phases.

To save time, many developers utilize open-source code and third-party libraries, pulling from these repositories into their applications. Ninety-seven percent of commercial code, in fact, contains open source, per Synopsys.

But that begs several questions: How do you know the code that someone else wrote is secure? How can you verify the code is maintained and updated? How many dependencies does that library have that you have no control over?

These uncertainties — and the fact that they often take a backseat during the development process — leave cyber criminals champing at the bit. Sonatype discovered a 700% surge in open-source attacks in the past three years.