Supply Chain Management
An attack on the supply chain is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
In software development a supply chain is a system of activities involved in handling, manufacturing and processing software.
Software supply chain attacks inject malicious code into an application’s files in order to infect all users of an application.
This can happen by :
- replacing critical files with malicious equivalents
- replacing the compiler with one that adds various backdoors into your application
- faking a server or a service that provides a REST API with a malicious equivalent
It can occur in any industry, from the financial sector, oil industry, to government sector and even cybersecurity companies are affected.
The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code.
Recommendations for suppliers include:
- ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
- implementing a product development, maintenance and support process that is consistent with commonly accepted product development processes;
- monitoring of security vulnerabilities reported by internal and external sources that includes used third-party components;
- maintaining an inventory of assets that includes patch-relevant information.
The report also suggests possible actions to ensure that the development of products and services complies with security practices.
Suppliers are advised to implement good practices for vulnerability and patch management for instance.
- identify your supply chain
- evaluate your security practices in relation to the software development practices and not only
- establish (if not existent) a Secure Software Lifecycle process
- evaluate the cybersecurity stance of each of the links in your supply chain
- establish processes that continuously monitor the cybersecurity of the links