In the wake of several highly publicized supply chain attacks, regulatory and media focus is shifting to address third-party software risk. The Department of Defense’s Cybersecurity Maturity Model Certification, established on January 31st, 2020, was the first attempt at creating a supply chain security compliance mandate. Only a few months later, threat actors infamously gained access to the build environment at SolarWinds and inserted a vulnerability directly into a security update that was then pushed to production. This combination of Insider Threat and Supply Chain Attack wound up compromising customers who installed the update, including US Federal agencies. In response to the growing threat of supply chain attacks, the Executive Order on Improving the Nation’s Cybersecurity established the Software Bill of Materials (SBOM) requirement. Whether for financial or political gain, threat actors are focusing on supply chain attacks. Software developers can prevent supply chain attacks by securing DevOps.
What Is a Supply Chain Attack?
In a supply chain attack, threat actors target a third-party service provider’s cybersecurity weakness, then use the vendor’s product to gain unauthorized access to the companies using the product or service.