In July 2020 the Atlantic Council, a highly-respected international affairs leadership institute based in Washington, DC, published a wide-ranging, evidence-based report titled “Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain” from its Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative. The report provides vital information on threats and priority focus areas for cyber security investments for both governments and business. This blog post series takes a detailed look at several specific implications of the report’s data and analysis.
Blog Post 3: Near-term and Long-term Options
While the report supports several broad-scale governmental and industry-wide changes to improve supply chain security systemically, it also suggests several practical steps that can be implemented immediately for the defenders’ advantage.
“Popular methods of attack include taking advantage of automated updates, compromising software development applications, and sneaking into mobile app stores. …In this interconnected software environment, successful attacks migrate away from the final targets that harden their own vulnerabilities and toward the weakest links in those chains. The soft spots that software supply chain attacks target remains minimally protected because of the technical challenges of recognizing the full scope of a product’s code dependencies and the policy challenges of coordinating disclosure and patching. …They are a manifestation of opportunity as much as intent, attacking secure targets by compromising weaknesses in connected neighbors and vendors. Existing gaps in best practices, and poor adoption of these best practices, have granted these software supply chain attacks unnerving sustainability. …The problem is generally…developers failing to rigorously implement basic protections for their networks, systems, and build servers.”
The report makes three clusters of recommendations to address the state of supply chain insecurity today:
1. Improve the Baseline: “…the lynchpin of any effort to improve the security of software supply chains broadly will be what impacts the largest number of codebases…”
Recommendations in this cluster include:
- Implement the US Department of Commerce’s Software Bill of Materials initiative. It will take a significant effort and retooling to even be able to know consistently what software is in the 3rd-party and open-source components an organization deploys. Since much modern code relies on updates in code and libraries sourced externally, this requires new dynamic, real-time solutions.
- Review and revise existing standards, controls, and security tools, many of which now just “check-once-at-one-point-in-time.”
- Make trust audits of sourcing channels, integrity verification of new code, and risk assessment all ongoing – replace the many policies and practices that currently are not/cannot be automated.
- Open source more proprietary government-produced tools like the recently-released Ghidra from NSA.
- DHS CISA should coordinate with NSA Cyber Directorate on this initiative around the central pillar of the new NIST SP 800-53 rev5 Life Cycle Security Overlay.
A summary point from this section states, “Raising the cost of software supply chain attacks should center on providing the whole of industry, from SAP and Microsoft down to a three-person LiDAR startup, easy-to-use tools and well-defined reference implementations for major cloud and IT vendors that make rigorous security as low-effort and cheap as possible.”
2. Better Protect Open Source: “Open-source code forms the basis of most enterprise systems and networks. …The security of open-source projects, and the apparent ease with which attackers can introduce insecure code, is a continuing concern.”
- Build in tools to hubs and repositories.
- Also help account for the rapidly-growing use of containers in cloud service deployments, including registries and hubs for container and other cloud images.
- Impose Final Goods Assembler liability on, at minimum, GitHub, Bitbucket, GitLab, and SourceForge, as well as those organizations legally responsible for maintaining container registries and associated hubs, including Docker, OpenShift, Rancher, and Kubernetes.
3. Counter Systemic Threats: “Trust is the critical coin of the realm. … deliberate efforts to undermine software supply chains … undermines (sic) defenders’ ability to patch flaws in code and improve the security of software through the entirety of its lifecycle.” This recommendation group focuses on state-level diplomatic and mitigation actions.
Software Supply Chain Attack Surface
- 32 Supply Chain Vulnerabilities—firmware editing
- 6 Compromised SDKs—malware inserted
- 18 Open Source Repositories—dependencies; malware embedded
- 31 Hijacked Updates—malware inserted.
87 of the 115 data points—all of which involved compromised software or introduced malware, and none of which were benign—fell into these four attack/vulnerability classes.
RunSafe Value Proposition
RunSafe technology can reduce the software supply chain attack surface immediately, regardless of the type of codebase, for both source and binary code. MITRE named memory vulnerabilities by far the most dangerous vulnerability class in late 2019, used in up to 70% of documented exploits over the last 5 years. RunSafe’s Alkemist software renders memory-based vulnerabilities benign in compiled code, including containerized and web services deployments. Implementing Alkemist properly eliminates one of the major hacker strategies used in the four vulnerability/attack types noted in the previous paragraph that make up 75%+ of the report’s sample set.
Alkemist plugs into existing CI/CD toolchains seamlessly using simple scripts and REST APIs. RunSafe provides reference implementations and scripts at www.alkemist.runsafesecurity.com.
Alkemist functionality is available today that specifically addresses the following issues called out in the report:
| Problem/Recommendation | RunSafe Solution |
| Successful attacks migrate away from the final targets that harden their own vulnerabilities and toward the weakest links in those chains | Harden every component of compiled code at the binary level to eliminate all memory-based vulnerabilities |
| Technical challenges of recognizing the full scope of a product’s code dependencies | Reduce the criticality of knowing code provenance by immunizing everything |
| Policy challenges of coordinating disclosure and patching | Automatically eliminate up to 70% of vulnerabilities, disclosed or not, thereby reducing urgency and emergencies around patching |
| Developers failing to rigorously implement basic protections for their networks, systems, and build servers | Once deployed, one simple toolset automatically increases code security throughout the stack and assures control of memory vulnerabilities across the organization |
| Impact the largest number of codebases | Language-agnostic solution works in virtually any compiled-code scenario |
| Raising the cost of software supply chain attacks | Alkemist dramatically raises the cost of all memory-based attacks, effectively making them impossible |
| Easy-to-use tools and well-defined reference implementations for major cloud and IT vendors | Simple scripts and REST APIs for all major enterprise and real-time environments |
| Build in tools to hubs and repositories | RunSafe is working with the major hubs and repositories to create this capability. In the meantime, organizations can implement Alkemist in their build and pre-deployment pipelines to achieve the same benefit. |
| Containers in cloud service deployments, including registries and hubs for container and other cloud images | Alkemist provides intrinsic self-protection for container and web service workloads without requiring agents or sidecars |
| Undermines defenders’ ability to patch | Alkemist-protected software is immunized from memory-based vulnerabilities, known and unknown, reducing the risk from patching delays |
While RunSafe’s Alkemist is not a silver bullet to solve all the issues of supply chain insecurity, it is a simple, practical, low-friction solution that can provide near-term results in one critical area across a very wide range of codebases and deployment technologies.