What are Software Supply Chain Attacks?

What are Software Supply Chain Attacks?
sabri headshot
Written by Sabrina Pagnotta
Senior Content Marketing Manager

Software supply chain attacks, or digital supply chain attacks, have become increasingly prevalent over the last couple of years. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party in the last three years.

What’s the best way to protect against potential software supply chain attacks? To get the answer, let’s define what those attacks are, how they happen, and how you can defend against them.

What is a software supply chain attack?

A software supply chain attack exploits vulnerabilities in your supply chain. Often these vulnerabilities are caused by software vendors with poor security postures. Because these vendors host or have access to sensitive systems and data, such as cloud providers, any breach of their digital infrastructure can have ripple effects across the supply chain.

Notable examples of software supply chain attacks include SolarWinds, Target, Home Depot, and NotPetya incidents.

How to prevent a software supply chain attack

Understanding your expanding attack surface and using tools and best practices to reduce exposure can reduce the risk of supply chain attacks.

Here are four ways to prevent and mitigate supply chain attacks.

1. Automate manual vendor assessment tasks

As you onboard more and more vendors, you’re probably finding that your vendor risk management (VRM) process is weighed down by manual, inefficient, and time-consuming processes. Automating your assessment process can alleviate the pressure.

Instead of wading through manual paper trails or relying on Outlook to remind you of critical deadlines or follow-up actions, automated VRM workflows take care of everything for you. For example, you can automate questionnaire distribution, trigger documentation requests based on vendor tiering, and get automatic reminders when it’s time to reassess a vendor.

You can also refer to a repository of previous assessments on common vendors that organizations share—think Google, AWS, Microsoft, even SolarWinds—so you’re not performing tedious reviews from scratch.

2. Validate responses with objective data and evidence of your vendors’ true security postures

Security questionnaires or assessments are important, but they only provide a point-in-time view of cyber risk.

As your vendors digitally transform, partner with new companies, and outsource functions, cyber risks are constantly emerging, requiring a more organic method of risk mitigation. Assessments are also subjective and create a bottleneck for security and risk assessment teams, potentially delaying the onboarding of business-critical vendors.

A better way to ensure third parties are within your risk tolerance is to validate their responses to security questionnaires using security ratings.
A security rating is a tool that lets you proactively assess and reduce risk across your external attack surface, including third parties. Using data scanning technology, ratings provide an outside-in view of your third parties’ digital ecosystems. Findings are presented in an easy-to-understand score, similar to a credit rating, with a scale from 250-900, with 250 being the lowest measure of security performance and 900 being the highest.

Using these findings, you may decide not to partner with a vendor with a low security rating, citing enhanced cyber risk. Or you may opt to work with a vendor with mid-level risk and consult with them on how to improve their security rating.

3. Continuously monitor software supply chain risks

VRM doesn’t end once your vendors are onboarded. As threats evolve, so do your vendors' risk profiles. Maintaining a pulse on these profiles throughout the life of the contract is essential.

Achieving that goal does not require frequent and time-consuming security audits. With advanced continuous monitoring technology, you can automatically track the cyber health of your software vendors (and their vendors). Near-real time alerts notify you the moment a vulnerability is discovered or a vendor’s security posture departs from pre-agreed parameters.

To ensure you can respond quickly and precisely to security incidents, look for a tool that provides daily updates and dashboard views and prioritizes risk according to several factors, such as vulnerability severity, which vendors are exposed, and details on specific exposure (such as evidence of a Common Vulnerability or Exposure—CVE—on their network).

The moment risk is discovered, share your findings with the impacted software vendor(s) and work collaboratively to mitigate the threat.

4. Keep executive leaders informed

Third-party risk is now a boardroom priority. As a security or risk management leader, it’s your responsibility to ensure that business leaders are kept in the loop about how well you are prepared to defend the organization from software supply chain attacks.

However, CISOs and CROs often use technical terms and metrics that board members may not understand. You need to present them with easy-to-digest data points that convey vendor risk as well as the steps you are taking to mitigate the risk.

To ensure effective communication between different levels of your organization, read our Practical Guide to Risk-Based Cybersecurity Reporting. You’ll learn:

  • The core elements of risk-based reporting
  • How to present metrics in context for maximum impact
  • Specific approaches for board members, executives, managers, and practitioners
  • Protecting your software supply chain from attack

The rise in third-party hacks shows how important it is to gain visibility into and mitigate risk across your supply chain. Automating risk assessment workflows and continuous monitoring is essential to effectively mitigating this risk—at scale.

Learn more about how Bitsight’s suite of integrated software supply chain risk management solutions can help you fortify your organization and protect the software supply chain as a whole.