Common Failures in Securing Software Supply Chains
Introduction
Software supply chains are complex, interconnected ecosystems that depend on the integrity of numerous third-party components. Unfortunately, this complexity makes them vulnerable to various forms of cyberattacks. The primary reason these attacks succeed is not just the technical sophistication of the attackers, but also the lapses and oversights that organizations make in securing their software development lifecycles (SDLC).
In this article, we’ll explore how these vulnerabilities come about and examine the most common mistakes companies make that open the door to devastating supply chain attacks.
1. Misconfigured or Unsecured Infrastructure
One of the most significant contributing factors to supply chain attacks is the failure to secure critical infrastructure—especially upstream servers and repositories. Attackers often exploit misconfigured or unpatched servers, as was the case in the Codecov incident.
Codecov attackers managed to gain access to the company’s upstream server due to a flawed Docker image creation process. This allowed them to modify the Bash Uploader script without directly injecting malware into downstream updates. The oversight here was a failure to ensure robust security controls around the server and code hosting environment. Had Codecov implemented stronger validation checks or better container security, the breach might have been prevented.
Key Lapse:
- Insufficient security on upstream servers and repositories.
- Lack of continuous security monitoring of infrastructure.
2. Insecure Software Development Pipelines
The software development lifecycle, particularly CI/CD pipelines, is another area prone to attacks. CI/CD systems are designed for efficiency and automation, but their very nature makes them attractive targets when security isn’t integrated into every step of the process.
In the case of Click Studios, the company’s CI/CD system was compromised, allowing attackers to distribute a malicious DLL through their "In-Place Upgrade" feature. The vulnerability here wasn’t just technical—it was an operational oversight. Click Studios failed to properly secure its update process, allowing malicious updates to slip through. Additionally, the company did not adequately separate manual and automatic upgrade systems, leading to widespread distribution of the compromised file.
Key Lapse:
- Failure to secure CI/CD infrastructure from tampering.
- Lack of proper separation between manual and automated processes.
3. Neglecting Namespace Ownership
One of the most avoidable forms of supply chain attacks is dependency confusion, which happens when an attacker registers a malicious package under the same name as a private dependency on a public repository. In 2021, this tactic exposed vulnerabilities in companies like Microsoft, Apple, and Tesla, showing how widespread the issue was.
The root cause of dependency confusion is a failure to properly secure the software ecosystem, particularly by ensuring that private packages aren’t overshadowed by public versions. In most cases, companies don’t reserve the names of their internal dependencies in public repositories. This oversight can lead to build systems pulling in malicious, public versions of those dependencies by mistake.
Key Lapse:
- Neglecting to reserve internal package names in public repositories.
- Lack of automated checks to prevent conflicting dependencies from being used in software builds.
4. Certificate Management Failures
Another common source of supply chain vulnerabilities stems from poor management of SSL certificates and code-signing certificates. These certificates play a critical role in verifying the authenticity and security of software and communication.
A striking example comes from Mimecast, which, in January 2021, revealed that attackers had stolen one of its certificates, which had been used to establish connections with Microsoft 365 services. This exposed the communications of about 10% of Mimecast’s customers. While the certificate theft itself was serious, the broader issue lay in how companies manage and secure these critical digital assets. Many organizations do not have proper certificate revocation policies, which allows attackers to abuse compromised certificates for extended periods.
Key Lapse:
- Failure to secure code-signing certificates and SSL/TLS keys.
- Inadequate certificate revocation and monitoring systems.
5. Blind Trust in External Code
Another significant vulnerability arises from the over-reliance on third-party libraries and open-source components. While open-source software is widely used for its cost-effectiveness and innovation, companies often fail to properly vet the code they’re integrating into their systems. This is particularly problematic when third-party components are automatically updated without validation.
A perfect example of this vulnerability is dependency confusion, where public repositories house malicious versions of commonly used dependencies. Despite the inherent risk, many companies allow automatic integration of third-party components without verifying their integrity. Developers download billions of open-source packages each week, often without checking for tampered or malicious code.
Key Lapse:
- Blind trust in open-source and third-party libraries.
- Lack of verification mechanisms for third-party code integrity.
6. Weak Points in Developer Environments
Development environments themselves can also be compromised, exposing companies to supply chain attacks. For instance, GitHub Actions, a popular CI/CD automation tool, was exploited in a supply chain attack that took advantage of its automation features to mine cryptocurrency.
In this case, attackers cloned legitimate repositories, altered GitHub Action scripts, and submitted pull requests that automatically triggered malicious processes. The lapse here was a failure to secure developer tools and automation pipelines. Developers often assume that these tools are secure by default, but without strict access controls and audit mechanisms, even seemingly innocuous tools can become vehicles for large-scale attacks.
Key Lapse:
- Lack of security controls on CI/CD tools and developer environments.
- Inadequate vetting of pull requests and automation scripts.
7. The Human Error
Even with the best technical defenses in place, humans remain the weakest link in cybersecurity. Social engineering attacks exploit this weakness by targeting unsuspecting developers, administrators, or even researchers. A notorious example involved University of Minnesota researchers who intentionally submitted vulnerable code patches to the Linux kernel, causing a major incident.
The lapse here lies in over-reliance on trust within open-source and collaborative environments. Developers are often spread too thin to thoroughly review every patch, pull request, or code contribution, leaving the door open for bad actors to exploit the system.
Key Lapse:
- Over-reliance on human trust within collaborative environments.
- Inadequate review processes for code contributions.
Conclusion
Software supply chain vulnerabilities stem largely from organizational lapses rather than purely technical failings. Companies that neglect to secure their CI/CD infrastructure, fail to manage third-party components properly, or overlook the importance of certificate management are leaving the door wide open to attackers.
Codenotary provides comprehensive solutions to address critical gaps in software supply chain security. By offering tools for vulnerability analysis, SBOM management, and real-time risk tracking, it helps companies identify and mitigate risks across both 1st and 3rd party applications. Trustcenter’s features, such as provenance tracking, artifact signing, and ML-based vulnerability analysis (VEX), ensure that organizations can detect and resolve issues before they escalate. Moreover, its seamless integration with developer workflows allows teams to maintain security without hindering productivity, fostering compliance with standards like NIST SSDF, FedRAMP, and PCI-DSS.
With its focus on real-time monitoring, compliance with global security standards, and seamless integration into developer workflows, Codenotary empowers businesses to secure their applications, protect against evolving threats, and maintain the integrity of their software supply chain.