Trust But Verify

It is time to start holding your software and hardware vendors accountable

• By Tom Pace
• Sep 12, 2024

Today’s world is built on software—whether it is third-party applications, open-source libraries, in-house developed tools, operating systems, containers or firmware. Organizations worldwide depend on these diverse software components to power their operations, connect with customers, and drive innovation. However, this reliance on software comes with hidden dangers: the blind trust placed in these software products. Many companies assume that the software they purchase, and use is secure and free from vulnerabilities, but recent high-profile software supply chain breaches have proven otherwise. The reality is that every piece of software, no matter how reputable the source, increases the organization’s attack surface and poses new risks.

This is where the principle of "trust but verify" becomes essential. Blind trust in software can lead to devastating consequences, ranging from data breaches to operational disruptions. Comprehensive visibility into all software components and dependencies is not just a precaution—it is a necessity. And it is high time that organizations start holding their software and hardware vendors accountable for the security of the products they deliver.

The Risks of Blind Trust in Software
Allan Friedman, widely recognized as the father of the SBOM (Software Bill of Materials), humorously compared an SBOM to the ingredient list on a package of food. He quipped, “Think of what’s in those non-biodegradable Twinkies. Did you know that a key ingredient is cow fat? That’s something people with sensitive diets should know, just like we should know what’s in our software.”

Taking this analogy a step further—would you eat food without transparency into the ingredients, without knowing the expiration date, without understanding the nutritional information, or without being aware of any recalls due to contamination? Of course not. Yet, when it comes to software, many organizations are content to consume these digital products without similar scrutiny. Why don’t we apply the same logic to our software and the vendors that produce it?

Software supply chain security is no longer a nice to have – it is one of the most foundational programs in cybersecurity we can untake. Failure to do so unnecessarily exposes companies to notable software supply chain attacks— like Codecov and Log4j:

Codecov. Attackers gained access to Codecov’s Bash Uploader script, modifying it to export sensitive information such as credentials and tokens from the users’ environments. This breach affected thousands of companies that relied on Codecov for code coverage analysis, exposing them to serious risks.

Log4j. We all know the story. The vulnerability discovered in Log4j, a widely used Java library, became one of the most significant security threats in recent memory. The flaw allowed attackers to execute arbitrary code on affected systems, putting countless organizations at risk. The widespread use of Log4j meant that even organizations with strong cybersecurity measures in place were vulnerable.

These examples highlight the critical need for transparency and accountability in the software supply chain. It’s not enough to trust that software is secure; organizations must verify the security of the software they use and hold vendors accountable for any vulnerabilities.

Why Now?
The urgency to implement software supply chain detection and response capabilities has never been greater.

The 2024 Verizon Data Breach Investigations Report (DBIR) revealed that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches documented— that is 1,500 supply chain breaches in one year, a staggering 68% increase from the previous year.2 

Verizon’s report emphasized that organizations should “start looking at ways of making better choices” about which third-party software providers they work with, “so as to not reward the weakest links in the chain.”

Moreover, according to Capterra’s “2023 Software Supply Chain Survey,” 61% of companies were impacted by a software supply chain cyber-attack in the 12 months preceding the survey. This statistic alone should be a wake-up call for organizations to take immediate action.3

As these threats continue to grow in scope and frequency, the time to act is now. Organizations can no longer afford to operate on blind trust when it comes to software security. They must start holding themselves and their vendors accountable for the security of the software they are using.

Trust But Verify
Holding vendors accountable begins with a shift in mindset: from blind trust to trust but verify. Enterprises should take a proactive approach by directly analyzing the software they are using in their environments. Surprisingly, many organizations do not realize that this is even possible. However, with the right tools and processes in place, it can be done efficiently and effectively—often in a matter of minutes.

This is where “trust but verify” becomes crucial. Blind trust in software can lead to catastrophic consequences as we’ve seen, but with comprehensive visibility into all software components and dependencies, organizations can begin to safeguard against these risks. This level of visibility can be seamlessly integrated into everyday enterprise cybersecurity processes, ensuring that vulnerabilities are identified, prioritized appropriately, and mitigated before they can be exploited.

Implementing Software Verification
To address the challenges posed by software supply chain vulnerabilities, organizations must prioritize integrating software analysis into their cybersecurity processes and workflows. The findings from a recent NetRise research study underscore the critical importance of having a detailed understanding of all software components and risks. Here are some basic steps companies should consider:

Generate comprehensive SBOMs. Creating detailed Software Bills of Materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively. In a recent NetRise study, we generated detailed SBOMs for 100 tested networking equipment devices and found that each device contains 1,267 software components on average.

Implement automated software risk analysis. Using detailed software risk analysis methods, companies can uncover a complete risk picture of each software or firmware package, ensuring a thorough risk assessment. In the NetRise study, we found that the average network equipment device has 1,120 known vulnerabilities in its underlying software components. This risk state was over 200 times greater than what traditional network-based vulnerability scanning would lead one to believe.

Prioritize and compare software risks. Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. Using this prioritized list of critical threats, teams can compare and contrast the risk state of different considered software products. For example, in the NetRise study, we found that there are 20 weaponized vulnerabilities per networking device on average, and looking closer, there are only 7 weaponized vulnerabilities that are also network accessible.

Establish responsible vulnerability and risk disclosure. Once implemented into existing cybersecurity processes and workflows, companies should establish processes for the responsible disclosure of vulnerability and risk assessment information to their software vendors. This information should be considered confidential and not shared outside the organization. The focus is not to condemn software vendors but to improve the state of software for all parties involved.

By focusing on these steps, organizations can significantly enhance the cybersecurity of their software supply chain and improve the security posture of their enterprise.

Building Strong Vendor Relationships
Establishing accountability does not mean alienating your vendors. On the contrary, it can lead to stronger, more collaborative relationships. By collaborating closely with vendors to identify and mitigate vulnerabilities, organizations can foster trust and ensure that both parties are aligned in their commitment to cybersecurity. This collaboration can drive improvements in software quality and security, benefiting the entire ecosystem.

In today’s rapidly evolving cyber threat landscape, it’s no longer enough to trust that the software you purchase is secure. The risks are too great, and the consequences of a breach are too severe. By incorporating software analysis into cybersecurity processes and workflows, organizations can ensure that they are effectively managing risks in their software and hardware supply chains.

Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not just best practices—they are essential steps for any organization looking to protect their digital assets. It is time to move beyond trust alone. It’s time to verify. By adopting these practices, organizations can build a robust foundation for their cybersecurity efforts and safeguard their operations against the growing wave of software supply chain attacks.

Now is the time to act. Integrate software analysis into your cybersecurity process today and take control of your software supply chain security.

This article originally appeared in the September / October 2024 issue of Security Today.