Supply chain attacks - Part III : Detection and prevention

Did you know that nine out of 10 companies detected software supply chain risks in the past 12 months? Isn't that scary? So with no delay, let's dive into how to put forth a defense against supply chain attacks. In this blog—the final part of the series—you will find out how to detect and prevent supply chain attacks at each stage of product development. Let's uncover the following:

• How to detect and prevent supply chain attacks
• Planning stage defense
• Designing stage defense
• Implementation stage defense
• Testing stage defense
• Deployment stage defense
• Maintenance stage defense
• ManageEngine Log360's software development life cycle

How to detect and prevent supply chain attacks

A well-planned product development process, which can also be termed as a software development life cycle (SDLC), is the primary step towards protecting your supply chain. Let's take a deep look at the different stages of an SDLC and unravel the different techniques to detect and prevent a supply chain attack at each stage.

Planning stage defense

This is the first stage of your SDLC. It is the stage where the infrastructure for developing software is set up. In this stage, organizations mostly concentrate on the availability, procurement, and allocation of resources. Some of the best practices to defend against supply chain attacks in this stage are:

• Creating a software bill of materials, which is a record of all the resources and processes involved in the SDLC to keep track of all activities during the process.
• Implementing a Zero Trust model to verify all dependencies and third parties involved in the SDLC.
• Using comprehensive threat modeling to identify the possible threats and vulnerabilities in all the components of the infrastructure that can hinder the SDLC.
• Triaging the known threats and vulnerabilities in the SDLC to plan appropriate incident responses to counteract them.

Designing stage defense

Designing is the stage where the product begins to take shape. It involves a separate set of procedures to develop a prototype. The software dependencies required to stage the product are also determined in this stage. In simple terms, this is the stage where suitable third-party solutions that can cater to the purpose of the final product are picked up and integrated. Some notable practices that can defend this stage of the SDLC are:

• Establishing a verification process to assess the security posture of vendor organizations.
• Assessing the risk level and the credibility of vendor products.
• Performing network segmentation to limit third parties' radius of access to internal resources.
• Implementing the principle of least privilege for all third parties so they can only carry out permitted actions.

Implementation stage defense

The implementation stage is the stage of execution. The DevOps team, which is a combination of software developers and IT operators, plays a vital role in this process. The software is programmed in this stage using code. This code can either be proprietary or open source. Further, this process can also be dependent on a third-party coding platform to run and execute the code. Thus, this stage involves a lot of internal and external collaborations. The best practices to defend against supply chain attacks in this stage of the SDLC are:

• Deploying strong code integrity policies to restrict unauthorized executions of code dependencies.
• Assessing open-source code in an inline sandboxing tool to filter out unknown threats and vulnerabilities.
• Using client-side protection tools while availing services from a third-party service provider.
• Auditing shadow IT infrastructure, which involves unauthorized resources that are used by the DevOps team without the approval of the IT department.

Testing stage defense

The testing stage ensures the quality of the developed software. Here, code is executed and checked for bugs, glitches, and vulnerabilities. This stage also involves third-party collaborations for pen testing and sandboxing. Some of the best practices to prevent a supply chain attack in this stage are:

• Creating in-house pen testing facilities to avoid dependency on third-party tools.
• Identifying and mitigating all vulnerabilities to prevent zero-day vulnerabilities and exploits.

Deployment stage defense

Deployment is the stage where the tested software is verified and attested using code-signing certificates, and it is made available to end users as software packages or services via websites. This stage is crucial to protect as attackers might steal the code-signing certificates to create fake identities and lure users into downloading malicious software, or they could exploit loopholes in the website's JavaScript to embed malicious code. Some notable steps to defend against a supply chain attack at this stage are:

• Implementing kaizen, which is continuous development and improvement in the software deployment pipeline.
• Integrating the security teams with the development teams to secure the code-signing certificates and JavaScript repositories.
• Implementing server-side protection solutions to inspect all download requests and website traffic.

Maintenance stage defense

This is the final stage of the SDLC, which focuses on the seamless and efficient functioning of the product after deployment. This is the stage where the product is continuously improved to meet the requirements of end users. It involves frequent bug fixes, software updates, and vulnerability patches. Though this stage marks the end of the SDLC, it can also mark the beginning of a major security breach if updates and fixes are not employed regularly. Some practices to secure your supply chain in this stage of the SDLC include:

• Building an effective software asset inventory to track all the updates and upgrades to the software.
• Implementing a secure workflow to apply security patches and software updates regularly.
• Enforcing multi-layered security using multi-factor authentication to restrict unauthorized access to the software builds, code repositories, and libraries.

ManageEngine Log360's SDLC

Log360 is a unified SIEM solution presented by ManageEngine, the IT management division of Zoho Corporation. Log360 comprises of distinct modules that help you secure your network. To ensure the security of a solution like Log360, we build our product on the proprietary frameworks of Zoho and ManageEngine with an in-house infrastructure to facilitate product development. We do not depend on open-source resources or third-party platforms, as each module of Log360 is developed using proprietary code, plugins, and integrations from our existing products. The product undergoes multiple levels of validation before deployment and is thereafter constantly updated and patched for seamless functioning. These procedures shape Log360 into a foolproof product with absolute quality and integrity.

We are so very cautious because a supply chain attack is capable of causing deleterious effects on your network despite sophisticated network security. It brutally exploits the mutual trust between various dependencies, which are indispensable in the SDLC. So hold your guard against supply chain attacks by implementing the best practices outlined above in each stage of your SDLC.

Wrapping up, we hope this blog series helped you discern the ins and outs of a software supply chain attack, its types, and measures to prevent it. Until we meet again in another interesting blog series, stay proactive and reactive in your defense against supply chain attacks.