In early November 2022, researchers at Proofpoint discovered more than 250 U.S. news outlets had injected malware into their content via JavaScript.
The term “software supply chain” first made headlines in late 2020 when it became known that software from SolarWinds, an IT management software provider, had been infiltrated and compromised. The software had been widely used within the U.S. government, and included the cybersecurity firm FireEye, the U.S. Treasury Department, the U.S. Department of Commerce, and the U.S. Department of Homeland Security. Investigations were carried out at NATO, the European Parliament, the UK GCHQ, the UK Ministry of Defence, the UK National Health Service, and the UK Home Office.
While some executives at the time deemed this “the largest and most sophisticated attack the world has ever seen" it quickly transpired that there were significant flaws in the way SolarWinds (and many other organisations at the time) managed the security of their software development pipeline – today commonly known as “software supply chain”.
As a result of these events, SolarWinds share price fell sharply, and has never recovered. There is now a class action lawsuit in flight against SolarWinds in relation to its security failures, and the subsequent fall in share price.
In response to the attack, on May 12th, 2021, the White House released an Executive Order on Improving the Nation’s Cybersecurity establishing new requirements to secure the U.S. federal government’s software supply chain. These requirements involve systematic reviews, process improvements, and security standards for both software suppliers and developers, in addition to customers who acquire software for the Federal Government. Most importantly, the Executive Order requires vendors to establish what has become known as an SBOM – a Software-Bill-of-Materials.
A Software-Bill-of-Materials is a nested inventory, showing all the components that are used in the development and deployment of a software product. By accurately listing these components, users have visibility over everything the product includes, with the ability to easily identify harmful components.
Supply Chain Security is becoming a growing concern and the lack of such security is a significant risk to enterprises and governments, including in New Zealand.
So how vulnerable are we in New Zealand to this type of attack?
Andrew Martin, CEO of ControlPlane, recently presented to Cloud Native Auckland to show a range of sophisticated attacks on Kubernetes clusters. This highlighted an example of the vulnerabilities many NZ organisations face, and the ease with which such attacks can be mounted.
OSS Group and Aqua Security have partnered in early 2022 to bring Cloud Native Security solutions to New Zealand enterprise and government customers. Aqua Security is a leading vendor for Cloud Native Application Protection Platforms (CNAPP), as recognized by Gartner.
Aqua Security launched the only commercially available platform to stop Software Supply Chain Attacks in late September 2022. The solution is fully integrated into Aqua’s end-to-end Cloud Native Security platform and can produce a Next-Generation SBOM.
In parallel, Aqua Security has now integrated Supply Chain Security and SBOM into Trivy. Trivy is an open-source security and misconfiguration scanner, which can be used free-of-charge by everyone.
OSS Group is Aqua Security’s TAP qualified Professional Services Partner in New Zealand. If you are concerned about Supply Chain Security and how to generate an SBOM as part of your Cloud Native Security posture, contact us at OSS Group for assistance.