Software Supply Chain Risks ⎪Cassie Crossley (VP Supply Chain Security, Schneider Electric)

Understanding and mitigating software supply chain risks and vulnerabilities has never been more crucial. Cassie Crossley, an expert in software supply chain security, shares invaluable insights from her extensive research and experience. This comprehensive guide explores the rising frequency and sophistication of supply chain attacks, highlighting key incidents and practical steps for ensuring robust security. Discover how vigilance, secure development practices, and effective governance can protect your organization from devastating supply chain breaches.

💡
This article is based on the conversation with Cassie on the Elephant in AppSec - the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

In this episode, we asked Cassie whether it’s realistic to have a secure software supply chain, why you need to be very careful about what gets committed into code because of backdoors, how her people-person skills made her switch from development to security, and how it feels to be a celebrity!

Dive right in!

Cassie's background

Cassie is the Vice President of Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric.

Starting from a development background, she moved through different roles like technical support, technical documentation, and software development project management. She led compliance, policy, and governance and gradually transitioned into her high-level Product Security role.

Cassie is also the author of the Software Supply Chain security book that has received praise from multiple industry thought leaders.

Cassie’s goal is to make a difference in the cyber community. That’s why she is also a frequent speaker on various supply chain security topics and a workshop trainer.

Watch the full interview below:

The rising threat of supply chain attacks

Cassie's area of expertise is software supply chain security. He wrote an in-depth book on this topic and was willing to share her insights with us!

Supply chain attacks are becoming increasingly common, yet many remain undetected. The implications of these attacks can be severe, affecting not just individual companies but entire industries and critical infrastructure. These attacks target the interconnected network of suppliers, vendors, and service providers that organizations rely on, making them particularly insidious and challenging to detect.

Cassie's Perspective on Supply Chain Attacks

Cassie emphasizes the growing frequency and sophistication of supply chain attacks. She notes that while many of these attacks are happening daily, they often go undetected for extended periods. This latency in detection can lead to widespread and severe consequences.

"There's a lot that's going on in the world and those supply chain attacks are happening more and more every day and we just haven't seen them yet. We haven't found them yet."

The SolarWinds Incident

"Most people have realized that it became an issue when SolarWinds happened when Microsoft and Governments got compromised."

The SolarWinds attack serves as a stark reminder of the potential scale and impact of supply chain attacks. This incident involved the compromise of a widely-used IT management software, leading to breaches in numerous organizations, including government agencies and major corporations. Cassie highlights this event as a turning point in the awareness and urgency surrounding supply chain security.

The Colonial Pipeline Ransomware Attack

Another significant example is the Colonial Pipeline ransomware attack, which disrupted fuel supply across the Eastern United States. Cassie points out that this incident, although not directly a software supply chain attack, underscores the broader implications of supply chain vulnerabilities.

"When you have Colonial Pipeline, who is a supplier and they're not a technology firm and they go down and disrupt an entire, you know, half of a country because of ransomware, you realize supply chain attacks, whether they're cyber related or not, are still going to make a bigger difference."

The Importance of Vigilance in Open Source Software Supply Chain Security

In software development, the use of open source software (OSS) is quite widespread. However, a diligent approach is required to ensure security. Each update to OSS must be meticulously scanned and reviewed. Blindly trusting updates from even reputable groups is no longer viable, especially when the software could be integral to critical systems, such as medical devices.

"Think of all the medical devices that are out there. There's a lot that's going on in the world and those supply chain attacks are happening more and more every day and we just haven't seen them yet. We haven't found them yet."

The XZ Backdoor: A Case Study in Supply Chain Security

The XZ backdoor incident is a recent example that highlights the critical importance of vigilance in software supply chain security. This case involves the insertion of a backdoor into open source code, which went undetected for a period, posing significant risks to any systems that integrated the compromised code.

What Happened?

"Somebody noticed there was a difference in the speed of an action that was happening. And so that person investigated it and they found out that there was a backdoor that had been inserted into open source code."

The XZ backdoor was discovered when a developer noticed an unusual difference in the speed of an action within the software. Upon investigation, it was found that a backdoor had been inserted into the open source code, allowing unauthorized access and potential control over affected systems.

Cassie's Insights on the XZ Backdoor

Cassie Crossley provides a detailed perspective on the XZ backdoor incident. She emphasizes the need for rigorous inspection and continuous monitoring of open source components to prevent such vulnerabilities.

On the Importance of Vigilance:
"You have to be very diligent about looking at that open source, scanning it, reviewing it and then doing that every time you do an update."

The Role of Software Bill of Materials (SBOM)

While the Software Bill of Materials (SBOM) is a valuable tool in identifying and managing software components, Cassie points out that it alone would not have detected the XZ backdoor. The SBOM can help trace the presence of specific versions of software, but it requires additional measures to identify malicious code.

"The software bill of materials would not have told you whether that backdoor was in there. Really the only way you could have known is if you did that code inspection because there wasn't anything knowing to look out for it."

Lessons Learned

The XZ backdoor incident underscores several critical lessons for organizations:

  • Rigorous Code Inspection: Regular and thorough inspection of all code, especially open source components, is essential. This includes understanding the provenance and quality of the code and its maintainers.
"Go in and check who is the committer, what else have they committed on projects to, you know, are they going to be reliant? And when you're looking at all of this is if you need to branch the code and take ownership, do you understand it?"
  • Continuous Monitoring: Implementing continuous monitoring and scanning tools to detect anomalies and potential vulnerabilities in real-time.
"You need to think of it almost like it's a child. Now. There's somebody you know that they use the term free puppies when it comes to open source. But if you're putting this together, you know, you have a responsibility and accountability to maintain that product throughout."

The role of governance in Supply Chain Security

Another topic we discussed with Cassie is how governance plays a pivotal role in ensuring the security of the software supply chain. Effective governance (including API governance, which we talked about previously in our blog) frameworks help organizations manage risks, enforce policies, and maintain compliance across all stages of the supply chain.

Cassie's Insights on Governance

Cassie emphasizes that governance is not just about setting policies but also about continuous oversight and management of third-party risks. She highlights the evolution of governance frameworks and their critical role in supply chain security.

"We ourselves were a governance function. It was just an overlay. So there were things that didn't quite fit. And I was really just honored when NIST came to me and said, hey, we want you to present on the panel about third-party governance."

The NIST Cybersecurity Framework (NCSF) 2.0

"The NIST Cybersecurity Framework (NCSF) had little pieces here and there that talked about suppliers, but it did not have this govern function. So I rolled out NCSF into our company 7-8 years ago when I first joined the CSO team and we said, how are we going to judge the maturity of our security program?"

The NCSF 2.0 introduced a dedicated "Govern" function, which underscores the importance of governance in managing third-party risks. This function helps organizations establish and maintain a comprehensive governance structure that includes policies, procedures, and oversight mechanisms.

"The NCSF and just everybody in general, you know, we've been talking about, do you have an IT cybersecurity posture, but it's really about supplier management. So by adding that governance function in there, it's just starting."

Practical Implementation of Governance

Cassie shares her experience in implementing governance frameworks within Schneider Electric and the challenges associated with it:

Continuous Improvement:

"We have evidence-based examinations now of our suppliers, the ones that provide software or that may impact our software. So if they're part of the supply chain in that sense, we ask them those kinds of questions and we're going to see that more and more, but it's going to take a long time."

Third-Party Risk Assessment:

"I created a third-party risk assessment program over three years ago where we checked evidence because from a secure development life cycle, I can't say, does this ISO 27001 certification ask anything about secure development? It doesn't say, do you have secure coding rules? It doesn't say, do you train your developers? It doesn't say, do you protect the development environment?"

Measuring Maturity:

"We measured ourselves and aligned programs to that, but we ourselves were a governance function. It was just an overlay. So there were things that didn't quite fit."

Key Components of Effective Governance

Policy Development and Enforcement

Governance frameworks should include clear policies that define security requirements for all third-party suppliers. These policies must be enforced consistently to ensure compliance.

Continuous Monitoring and Assessment

Regular assessments and continuous monitoring of third-party suppliers are crucial. This includes evaluating their security practices, conducting audits, and ensuring they adhere to established policies.

Collaboration and Communication

Effective governance requires collaboration between various stakeholders, including procurement, IT, security teams, and third-party suppliers. Open communication channels help in addressing issues promptly and maintaining a robust security posture.

Training and Awareness

Training programs for developers and other stakeholders are essential to ensure they understand the importance of supply chain security and their role in maintaining it.


Practical Steps for Ensuring Supply Chain Security

  1. Thorough Inspection of Open Source Code

Cassie emphasizes the importance of diligently inspecting open source code before integrating it into products.

"You have to be very diligent about looking at that open source, scanning it, reviewing it and then doing that every time you do an update."

2. Secure Development Environments

Ensuring that development environments are secure is crucial. This includes protecting build environments and virtual machines from unauthorized access.

"The build environment and all of that cybersecurity experts are not even touching those environments, those are being constructed by us as developers."

3. Continuous Monitoring and Maintenance

Regularly updating and maintaining software libraries and dependencies is essential to mitigate vulnerabilities.

"You definitely should be updating those libraries and some, some of them may say, you know, depending on the security level of, you know, let's just say, you know, we're trying to address this vulnerability but we wanna wait one more release."

4. Implementing Secure Coding Practices

Training developers in secure coding practices and ensuring they follow these practices consistently can prevent many vulnerabilities.

"We have a very extensive training program for secure development. We have secure coding tools, we have this and that. So they're seeing it as they go through."

5. Utilizing Software Bill of Materials (SBOM)

Using SBOMs helps in tracking and managing the components used in software, making it easier to identify and address vulnerabilities.

"The software bill of materials will let people know. Yes, this product with this version, if it had this exact version, it was compromised."
6. Threat Modeling

Conducting threat modeling exercises helps in identifying potential attack vectors and mitigating them early in the development process.

"What I really see is you're thinking about it, you know, what are the attack paths before I start it?"

The Future of Supply Chain Security

Cassie also shares her perspective on the future of supply chain security, highlighting emerging trends and the evolving landscape.

1. Increased Focus on Governance

Governance will continue to play a critical role in managing supply chain security, with frameworks like the NIST Cybersecurity Framework (NCSF) evolving to include more comprehensive governance functions.

"The NCSF and just everybody in general, you know, we've been talking about, do you have an IT cybersecurity posture, but it's really about supplier management."

2. Adoption of AI and Advanced Tools

The use of AI and advanced tools will become more prevalent in detecting and mitigating supply chain security risks.

"We're gonna see AI help that there's a lot of new platforms and a lot of new startups coming out where they're improving the scan ability and the reach ability of code and being able to detect these things."

3. Ethical Hacking and Pentesting

Training developers in ethical hacking and pentesting will become more common, helping them understand and defend against potential attacks.

"I think every developer should take probably a pentest course and become an ethical hacking course to really understand the offense, you know, how to become better in the defense."

4. Enhanced Collaboration

Collaboration between developers, security teams, and other stakeholders will be crucial in addressing supply chain security challenges.

"It shouldn't be us versus them when it comes to development and security, you really need to examine all the development teams do what they need to do to be able to get that."

Conclusion

Ensuring supply chain security requires a multifaceted approach that includes thorough inspection of open source code, securing development environments, continuous monitoring, and implementing secure coding practices. The future of supply chain security will see increased focus on governance, adoption of AI and advanced tools, ethical hacking training, enhanced collaboration, and continuous improvement. By following these practical steps and staying ahead of emerging trends, organizations can better protect their supply chains and mitigate security risks.


💡Want to learn more? Discover the following articles: