Code libraries become a security risk Vulnerabilities in third-party code put businesses at risk
23.03.2022A guest article by Evan Grant et al.
Software libraries, which are used by several hardware manufacturers, are increasingly becoming a problem for security experts in companies. The fact that manufacturers share code is not fundamentally critical, but the fact that there is often a lack of security checks and precautions. When threat researchers discover a new vulnerability, potential victims are often not informed in time before cybercriminals get to work.
The software supply chain must become more secure, because insecure devices expand the attack surface and endanger the security of the entire company.
(© Eisenhans – stock.adobe.com)
In the spring of 2021, Tenable discovered a vulnerability in a router from the manufacturer Buffalo, the origin of which was in the Arcadian software used. Ultimately, at least 20 other models from 17 different providers and service providers such as Telstra, Telus, Verizon and Vodafone – and thus their customers and users – were affected worldwide. Insecure routers can also endanger the business operations of companies in times of remote work. In addition, there is the flood of mobile devices and IoT components whose third-party software may also contain security vulnerabilities. The home networks, but also the growing Internet of Things, significantly expand the potential attack surface.
In addition, ransomware attacks are becoming more and more sophisticated. Attackers recently targeted managed service providers and their corporate customers. In a spectacular case, savvy actors exploited zero-day vulnerabilities in the Professional Services Automation (PSA) software Kaseya VSA in July 2021. Others take the self-spreading, destructive malware NotPetya, which caused great damage worldwide in the summer of 2017, as an example. In order to stop the large-scale exploitation of a vulnerability and the spread of such a threat, greater care is needed, especially with third-party software. For example, in the case of vulnerabilities in software that has been used several times, it is crucial to identify all downstream software projects, services and customers in order to be able to warn those involved in a timely manner.
The software supply chain must become more secure
The complexity of software projects is increasing and the dependence on third-party frameworks, open source software and cross-vendor libraries is increasing. It is therefore crucial that companies carry out a complete inventory of the components used. A machine-readable software Bill of Materials (SBOM) is extremely helpful here. This record contains all the details and supply chain relationships of the components that a company has resorted to when creating software. By means of reliably updated SBOMs, it is possible to detect affected devices at an early stage and to warn all parties involved.
The application of secure software development practices is another starting point to make the software supply chain more secure. A Secure Software Development Lifecycle (SSDLC) means to quantitatively and qualitatively identify the vulnerabilities in a new software release and to reduce and eliminate these vulnerabilities. Furthermore, companies can reduce their development costs by identifying problems in the development process at an early stage. Rising costs are not least due to the fact that bugs and vulnerabilities often only become visible and are fixed when the code is already in productive use.
It also makes sense to set up a Product Security Incident Response team (PSIRT), which deals with the identification, evaluation and handling of risks of security vulnerabilities in software in the company. Integrated into the SSDLC process, the PSIRT implements proper security practices and provides oversight and coordination for all security issues. The establishment of a PSIRT or the implementation of internal programs for the disclosure of security gaps makes the entire process much more efficient until it is fixed.
Defuse security problems in a timely manner
The increasing cyber security incidents and cyber attacks in connection with the software supply chain have recently caused increased attention on the part of software providers and security experts, but also legislators. As a result, the entire community is introducing new approaches, implementing new policies and procedures that are specifically designed to deal with security problems in complex software supply chains.
It is a cross-manufacturer, industry-wide problem that requires the commitment and cooperation of all parties involved. The previously tedious and bumpy process of reporting vulnerabilities in shared software libraries needs to be streamlined. This is the only way to resolve security vulnerabilities in all affected products as effectively as efficiently.
About the authors: Evan Grant is a Staff Research Engineer at Tenable and co-authored this article with Tenable’s Zero Day Research Team.