“Everything under heaven is in chaos. The situation is excellent!” That is how Mao Zedong, the chairman of China's Communist party, read the state of affairs in China in the early 1960s. Cybersecurity pros meeting on the sidelines of the Black Hat Briefings had a similar take on our current situation, as they weighed huge shifts in the number and nature of cyberthreats and contemplated substantial changes in their approaches to addressing modern cyber-risks, such as those facing software supply chains.
Cybersecurity experts from the private sector and U.S. government gathered on Tuesday, August 6th at an event sponsored by the firm Lineaje. A heavy reliance on open source code, the widespread embrace of cloud services, and the rapid adoption of machine learning (ML) and artificial intelligence (AI) leave organizations exposed to a wide range of threats and attacks for which they aren’t adequately prepared or equipped, the speakers warned. And that demands a serious rethinking of cybersecurity practices as well as the embrace of new technologies and processes to address fast-evolving threats.
Chitra Elango, cybersecurity director at the Federal National Mortgage Association, said application security testing (AST) tools and approaches to addressing risk aren't up to addressing today's more complex software and IT environments. This new reality forced Fannie Mae to do more work to classify and prioritize patching and remediation based on factors such as vulnerability exploitability and the criticality of affected systems. This raises the stakes for development teams and security staff to get exploitable holes fixed.
Here's why you need to reboot you security approach in the era of heightened software supply chain risk.
[ Learn how you can go beyond the SBOM with our Special Report. Plus: Download the White Paper ]
Open source is in the hot seat
Attendees agreed that organizations that rely on open-source software need to start contributing back to those open-source projects with an eye toward improving code quality and security. John Mark Walker, the director of the open-source program office at Fannie Mae, said that organizations facing open-source risks should wade in and address those problems rather than shrug them off.
Developers at Fannie Mae have been modifying open-source libraries internally to fix known security issues rather than wait, he said.
“We realized that when you are using open source code, you can be a part of the supply chain. Whether you’re a vendor or a user, you should take the opportunity to manage your supply chain rather than passively accept what you get.”
—John Mark Walker
Third-party risk? Try Nth-party risk
But addressing software supply chain risks is a bigger problem than just shoring up popular open-source projects can fix, the speakers said. As incidents such as the attacks on SolarWinds, 3CX, and other firms have shown, existing approaches to application security (AppSec) are inadequate and fail to detect a range of potential threats to development organizations and end-user organizations, said ReversingLabs CEO Mario Vuksan, a panelist in a discussion on "What Enterprises Are Doing about Software Supply Chain Threats."
Vuksan said development teams are overwhelmed with vulnerabilities and often miss the bigger picture of software security. In the case of open-source software, for example, greater contributions from end-user organizations require open-source maintainers to get on board and accept changes more readily to improve codebases, while also requiring contributing organizations to consider the needs of the broader open-source ecosystem. “If they fix their own problems, they are breaking future updates — and potentially making their own security postures worse," he said.
The rise in software supply chain attacks demonstrates that traditional tools are not up to the job of dealing with today’s complex software packages, whether developed internally or bought commercially.
“AppSec tools aren’t built for that problem. SolarWinds? There was no existing solution to detect that. 3CX? The same.”
—Mario Vuksan
Roi Abitboul, a panelist and the CEO of Raven.io, said one problem was the black-box nature of most commercial software, despite many commercial packages containing large amounts of open source code.
“We lack the ability to know what a library or [executable] will do at runtime. Programming languages like Python, Java, and JavaScript account for 90% of all cloud applications and workloads. We have a vacuum and need to add to our tool set.”
—Roi Abitboul
Richard Bird, the CSO at the firm Traceable.ai, noted that the growing complexity of software deployments, the heavy reliance on APIs, and the growth of no-code applications greatly complicate the job of securing against supply chain threats. "Third-party risk is a lie," Bird said. "You all face Nth-party risk.”
“There’s no way to test the behavior of APIs. When you look at today’s testing technologies, there’s a very large gap in web apps and not enough visibility in the chain of custody to have any probability of determining whether a given app has been tested properly.”
—Richard Bird
Regardless, expect more, not less, complexity going forward, ReversingLabs’ Vuksan said. “Truly successful organizations are going to want to integrate with other things. If you want to make money, you need to integrate with other systems."
Bird also stressed that there is no turning back. “My concern is that we’ve passed the event horizon. So much of our codebase is not our own. It’s forcing all of us to consider whether the security stacks we have are oriented to a world where only 30% of the codebase belongs to us,” Bird said.
But what that new stack will look like is still an open question. “There’s a lot of complexity. Apps are just a collection of API calls or they are massive in size,” he said. Beyond that, applications are bespoke with a mix of open source and homegrown code that varies by vertical and is often unique to the customer, he said.
While there is no simple solution, there are ways to change the status quo. That starts with putting a greater emphasis on software design, said Shane Ryan, a practice director at the firm Praetorian.
“Secure by Design needs to be involved from the beginning. We need to focus on critical assets and relevant attack surfaces — what to do and what not to do. It’s about shifting left and testing whether we are protecting our critical assets.”
—Shane Ryan
Organizations can also help to move the needle on software security by holding third-party software builders to a higher standard, which is not happening today. The U.S. Cybersecurity and Infrastructure Security Agency last week unveiled a Secure by Demand guide — which remains voluntary — as a counterpart to its landmark Secure by Design guidance (PDF), released in April 2023. Increased market demand for secure design was a common theme at the Lineaje event as well.
“We as software purchasers have a lot of power, and it's called ‘money,’” said Natalie Somersall, principal solutions engineer for the public sector at Chainguard, in a session on building Secure by Design.
Modern threats call for upgrade to tools and approach
The Lineaje event echoed warnings at both the Black Hat Briefings and DEF CON events last week about the growing gaps between older-generation AppSec and testing tools and the risks inherent in modern applications and cloud-centric environments.
Saša Zdjelar, chief trust officer at ReversingLabs, wrote recently that as software producers, enterprise buyers, and other key stakeholders prepare their cybersecurity and risk management efforts for 2025, they should be looking for ways to prevent and quickly mitigate any and all software supply chain attacks:
“But modern enterprise security programs suffer from a sprawl of uncoordinated tools and continually fail at achieving software supply chain security. This calls for a new era of SSCS management, one in which universal controls can prioritize the mitigation of these threats.”
—Saša Zdjelar
Zdjelar said that what’s needed is a final exam for software packages, which is why ReversingLabs recently introduced its Software Assurance Foundational Evaluation (SAFE) reports, which go well beyond traditional software bills of material (SBOMs) and provide comprehensive software supply chain risk analysis.
