IT leaders need to do more to protect themselves from future supply chain attacks like the SolarWinds compromise, according to the Linux Foundation.
In a new blog, David Wheeler, the Foundation’s open source supply chain security director, went through how the attack went undiscovered until months after the suspected Russian state-sponsored actors compromised the SolarWinds Orion platform that was used by nearly 18,000 customers, providing them with a backdoor into thousands of IT environments.
According to Wheeler, conventional security advice failed to counter the attack.
For example, the only installing signed versions wasn’t applicable because the software was signed. Making sure software is updated actually did more harm than good because the updated software contained malicious code.
Monitoring software behavior did eventually detect the problem, but only after hackers had access to victims for nine months.
Even reviewing source of the product wasn’t a foolproof defense because the code was written in a way that made it look like normal code. The attackers had control of the build environment and could have inserted the code without even being visible to developers.
In his blog, Wheeler called on developers and the software industry to harden their build environments against attackers and implement and require verified reproducible builds, which are builds that always produce the same outputs given the same inputs so that the build results can be verified.
For IT departments, this means they have to start asking for a software bill of materials (SBOM) so they know exactly what they are using, Wheeler writes.
Once users get the SBOM, they should examine the versions included. IF there are malicious components or known vulnerabilities, ask about them, Wheeler writes.
“Some vulnerabilities may not be exploitable, but too many application developers simply don’t update dependencies even when they are exploitable,” Wheeler writes.
“To be fair, there’s a chicken-and-egg problem here: specifications are in the process of being updated, tools are in development, and many software producers aren’t ready to provide SBOMs.”
Most software producers don’t have that SBOM ready, but users need to create a demand for SBOMs.
Wheeler also writes that organizations should invest in OpenChain conformance and require suppliers to implement a process designed to improve trust in a supply chain.
OpenChain’s conformance process reveals specifics about the components you depend on that are a critical first step to countering many supply chain attacks.