New Podcast Explores Critical Issues in Software Supply Chain Security

This podcast from No Limit Secu, recorded at the Cybersecurity Summit in Monaco, delves into the challenges surrounding software supply chain security. Led by a team of cybersecurity experts, including Rony Karta, co-founder of Lupin, the episode explores the difficulties, risks, and solutions related to this increasingly critical topic. The discussion highlights an often underestimated problem: the vulnerability of third-party software components, whether open source or proprietary, and their potential impact on organizational security.

The software supply chain encompasses all elements that make up a software, from open-source dependencies to development tools and deployment pipelines. Unlike the physical supply chain, which deals with the logistics of hardware components, the software supply chain focuses on pre-built software blocks that developers integrate into their projects to save time. Today, most modern software relies on third-party libraries, often open source, hosted on platforms like GitHub, npm (for JavaScript), or PyPI (for Python). These dependencies, while convenient, introduce major risks: if one is compromised, it can spread a security flaw to millions of applications that use it. For example, a recent attack targeted an npm package maintainer, allowing attackers to take control of over 170 dependencies with billions of weekly installations. Fortunately, this attack was quickly detected, but it illustrates how easily a single weak link can jeopardize an entire ecosystem.

Attacks on the software supply chain are not limited to open-source components. They can also target development pipelines, such as GitHub Actions, or even physical infrastructures, as demonstrated by Operation Stuxnet, where the NSA compromised Siemens software via its hardware supply chain. Attackers often exploit authentication process vulnerabilities, such as phishing to steal a developer's credentials, or build tool vulnerabilities. A particularly elegant and formidable attack was on the XZ library, where a malicious developer introduced a backdoor into a critical dependency used by SSH. This attack, detected by chance due to abnormal latency, shows how discreet and patient attackers can be. Other examples include the attack on British Airways, where a compromised JavaScript library allowed the theft of payment information, or the attack on Bybit, a cryptocurrency platform, where $1.5 billion was stolen via a malicious dependency.

Why are these attacks so effective? First, because they exploit a blind spot in organizational security: most teams focus on protecting systems exposed to the Internet (such as web applications or servers) but neglect the risks associated with components ingested from the Internet. Second, the complexity of the software supply chain makes it difficult to detect vulnerabilities. For example, installing a library like React can result in the installation of over 1,300 indirect dependencies, each representing a potential attack vector. Finally, attackers often take advantage of developers' and security teams' lack of knowledge about best practices in dependency management. Open-source project maintainers, often volunteers, do not always have the resources to secure their components, and companies that use them do not systematically verify their integrity.

Facing these challenges, several solutions are emerging, but none are perfect. Standards like SLSA (Supply-chain Levels for Software Artifacts), promoted by the OpenSSF (Open Source Security Foundation), aim to improve the security of software components by defining compliance levels for sources, builds, and distributions. However, these standards are complex to implement and do not cover all risks, such as attacks targeting maintainers or pipelines. Another approach is to strengthen developer account authentication, for example, by enforcing two-factor authentication (2FA) on GitHub or npm. But even with these measures, an attacker who compromises a developer's workstation can bypass these protections. Vulnerability detection tools, such as those that analyze CVEs (Common Vulnerabilities and Exposures), are useful but insufficient, as they do not detect backdoors or deliberately introduced malicious modifications.

A promising approach is the adoption of an offensive cybersecurity strategy, as proposed by Rony Karta with his startup Lupin. Rather than relying solely on defensive solutions, which often generate too many false positives or false negatives, Lupin uses bug bounties as a research ground to identify new classes of vulnerabilities in the software supply chain. By automating these discoveries, the startup allows companies to actively test their resilience against these attacks and fix vulnerabilities before they are exploited. This proactive approach, combined with better dependency observability and increased accountability for software publishers (through regulations like the Cyber Resilience Act in Europe), could help reduce risks. However, until companies recognize the scale of the problem and allocate the necessary resources, attacks on the software supply chain will continue to grow.

In conclusion, the software supply chain is an expanding battlefield where attackers, whether opportunistic or state-sponsored, exploit often-neglected vulnerabilities. Recent examples show that even simple attacks can have devastating consequences, while sophisticated attacks, like the one on XZ, remain difficult to detect. To protect themselves, organizations must adopt a holistic approach, combining defensive measures (such as dependency analysis and artifact signing), offensive practices (such as red teaming and bug bounties), and better collaboration with the open-source community. Without this, the cost of software supply chain attacks, estimated at $46 billion in 2023 and projected to reach $81 billion by 2026, will continue to burden the global economy. This podcast offers a fascinating dive into a complex topic, reminding us that cybersecurity is an ecosystem where every link matters.