It’s time to rethink how to patch software supply chain vulnerabilities

As 2021 drew to a close, many IT teams had a nasty surprise just before heading into their year-end vacation.

The Log4Shell vulnerability that has affected countless servers around the world would need an urgent patch, so the experts froze their leave and came back to figure out where to put the band-aid.

A year later, many are still trying to make sure the vulnerability, which affects enterprise Java applications used in much of today’s modern IT infrastructure, isn’t lurking somewhere in their systems. , ready to create another surprise this holiday season.

The problem is finding the right place to patch or fix the flaw. According to some calculations, more than 35,000 Java packages, or 8% in the Maven Central repository, were impacted by the Log4Shell issue.

Looking beyond Java, look at the many pieces of third-party code that modern IT systems use today and it’s easy to imagine what kind of headaches IT teams face today. There’s just too much to sift through to find a solution, and you can’t fix what you can’t see.

Today, an estimated 40% to 80% of software lines of code come from third parties such as libraries, components, and software development kits (SDKs). So, unsurprisingly, by 2025, 45% of organizations worldwide will have experienced attacks in their software supply chains, a threefold increase from 2021, according to research firm Gartner.

More automation, visibility needed

Today, there is an industry built for cyberattacks, with dark web specialists ready to take on specific roles in a ransomware attack, from crafting the phishing message to collecting the ransom. If bad guys have already developed such an elaborate supply chain and turned malware into tools for crime, surely companies must up their game for their own software supply chain.

What they need are tools that provide increased automation and provide visibility into their IT systems that they didn’t have before. This means being able to more easily find vulnerabilities in their software supply chain instead of searching for them manually.

What should a vulnerability detection tool help to do? There are so many components in a software supply chain, so let’s narrow it down to Java software specifically and list the features to look for:

  • Current detection: Continuously assess application-level exposure to vulnerabilities in production without the need for source code. Compare the executed code with a Java-specific CVE database.
  • Eliminate false positives: Monitor the code executed by the Java Runtime (JVM) and generate accurate results that traditional tools fail to discover.
  • Transparent performance: Avoid a performance hit with additional agents that add overhead to the production system. Find a solution that runs without an agent.
  • Thorough checks: Make sure the tool works on all versions of Java software found on your systems, to avoid missing any vulnerabilities.
  • Historical traceability: Have a history of the components and code used so that forensic efforts can be more focused on verifying if the vulnerable code led to an exploit.

Facing a complex environment

Ultimately, businesses need better observability and increased automation in an increasingly complex IT environment. Doing things manually is no longer possible. Software running daily in production needs to be closely monitored and observed in a very granular way, as malicious actors increasingly seek to penetrate deeper into the software supply chain to gain access to victim systems.

In addition to the Log4Shell issue, which has been described by the United States Department of Homeland Security as one of the most severe software vulnerabilities in history, cyber attackers have found new ways to penetrate software supply. They are also much more brazen in the way they stage attacks.

Earlier this year, users of a Chinese messaging app, MiMi, received a bogus version enriched with malicious code that could allow an attacker to take control of the software remotely. This meant they could spy on what users were discussing.

What made this remarkable was that the attackers were able to take control of the servers that were delivering the app to users. They added code to the app, removed the real version, and tricked victims into downloading and installing the app unknowingly.

Although not a Java-based issue, it showed how serious software supply chain vulnerabilities have become in recent years and how difficult it is to stem the tide. against such attacks.

There is also the issue of trust. Much of today’s digital services depend on a host of third-party software vendors, from open-source repositories (where attackers can also plant malicious code) to packaged apps that are installed on a company’s devices. .

Against this backdrop, businesses need to adopt a smarter way to ensure their digital efforts don’t get derailed. It’s also important that they don’t get bogged down in security measures that are too cumbersome and detrimental to the customer experience.

They need to look for streamlined solutions that can automatically detect threats without slowing down performance, building the agility needed in a competitive market.