In 2021, President Biden issued Executive Order 14028, requiring government contractors and suppliers to confirm that they follow critical security practices. Among other things, covered entities must provide a Software Bill of Materials (SBOM) detailing the supply chain relationships of the various components used in the software.
However, a new study by Lineaje found that just 16 percent of organizations have implemented SBOMs as part of their development process. Furthermore, just 20 percent were prepared to comply with the June 11, 2024, deadline for completing the CISA’s Secure Software Development Attestation Form.
This is alarming considering the dramatic rise in software supply chain attacks. According to Statista, more than 2,700 organizations were affected by these attacks in 2023, a 58 percent increase over 2022. The rise in these attacks correlates to the growing use of open-source software components, many of which have inherent risks.
Organizations rely on open-source tools and third-party software for valid business reasons: It’s faster and cheaper than starting from scratch. However, this ecosystem masks a highly complex supply chain with obscure linkages. A third-party provider will likely have incorporated other open-source and third-party tools in its software. Those entities in turn have their own supply chains.
This complexity makes it incredibly difficult to identify vulnerabilities. Cybercriminals know this and strategically target weaknesses in the software supply chain, enabling them to successfully compromise organizations downstream.
The 3CX breach is a case in point. In March 2023, the VoIP provider suffered a breach affecting many of its 600,000 customers. According to cybersecurity firm Mandiant, the breach was caused by a separate successful attack on Trading Technologies, in which North Korea-backed hackers inserted a backdoor into one of the firm’s applications. A 3CX employee installed the application on their PC, giving the hackers access to the 3CX network. The hackers corrupted a 3CX application which then infected thousands of its customers.
Many organizations are consolidating their supply chains to reduce the operational overhead of managing large numbers of vendors and integrating multiple software suites. Supply chain consolidation also allows IT teams to focus their threat remediation efforts on fewer vendors. However, experts warn that consolidation only increases complexity and further obscures the risk.
AI-generated code creates an additional challenge. AI makes it easier for individual developers to generate code and post it in open-source repositories, increasing the risk of vulnerabilities. The open-source community has long suffered from a lack of oversight and accountability for security. AI increases the speed at which open-source threats emerge.
Organizations that use open-source software must take responsibility for testing all the code they use. Automation can reduce the overhead associated with this process somewhat, but organizations need to factor the cost of testing and auditing into the economics of open-source software.
EO 14028 is meant to address these threats within federal agencies, and to provide a framework for companies in every industry to increase software supply chain security. In September 2023, the CISA published a roadmap describing how it will help support the secure development and use of open-source software. Part of that effort is to harden the open-source ecosystem by improving visibility into software dependencies.
That’s the role of SBOM, which shifts accountability for security weaknesses to software developers and vendors. SBOMs aim to improve security by providing greater transparency into software components. They will also make it easier for vendors to identify and track vulnerabilities and respond rapidly to attacks.
The lack of preparedness for compliance with EO 14028 points to the complexity of the software supply chain and the length of time it will take for SBOMs to be adopted on a wide scale. In the meantime, organizations should prepare for escalating supply chain attacks by implementing processes for testing and auditing all components.