No doubt about it, the way malicious actors attack their targets through software is changing.
The attack pattern we’re familiar with is fairly direct. Someone finds a vulnerability in deployed software. Malicious actors develop malware to exploit the weakness. They then find a way to reach the deployed software within target companies and use the malware as part of their attack until a patch is deployed. Our defenses against this type of attack have been twofold.
On one side, software buyers use malware detection and response tools on user email, web applications, endpoints, cloud or network file storage to block malware from entering their environments. By blocking known exploits, enterprises prevent some attacks and limit the dwell time for others.
On the other side, software publishers incorporate vulnerability testing and software composition analysis earlier in their development lifecycles and prioritize remediation and mitigation efforts for existing and newly created vulnerabilities. For the most part, vulnerability scanners look for coding patterns or mistakes that make software vulnerable i.e. that leave holes for attackers to reach inside and start manipulating the software or system it runs on to achieve their objectives.
While these defenses aren’t perfect, they have made it harder to reach high-value target companies. Therefore malicious actors looked for alternative ways to reach their targets – by tampering with software supplied by trusted vendors.
The risk posed is unnerving since ENISA’s analysis of software supply chain attacks from Jan 2020 through Jul 2021 reported that “an organization could be vulnerable to a supply chain attack even when its own defenses are quite good.” In other words, finding and patching software vulnerabilities isn’t sufficient for dealing with the more sophisticated supply chain risks.
To understand why and what to do about it, we first must understand the differences between software vulnerability detection and finding software tampering. Hence my webinar on the topic, which will also cover indicators that must be detected, what software artifacts must be assessed, and when assessments must occur.
If you missed the “3 Ways Detecting Software Tampering Differs From Finding Software Vulnerabilities” webinar, you can now watch it on-demand here.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.