Software under attack
The recent XZ compromise has brought into focus the risk of software supply chain threats in cybersecurity: these are material for almost every organisation, yet not yet fully on the radar of most, as our technical due diligence uncovers. Kitson Kelly unpacks the topic
At CTO Labs we see investors prioritising cybersecurity throughout the M&A cycle from acquisition to divestment. With many high profile data breaches in the news causing severe reputational harm and government sanctions, there is a fairly widespread acceptance amongst investors to understand the cybersecurity posture of their targets. This is often focused on the risk of cyber intrusion. We are seeing the rise of another type of significant cybersecurity threat, software supply chain threats.
The prevailing focus of cybersecurity threats has focused on external cyber security intrusion threats, and internal threats arising from internal bad actors or compromised security credentials. Build a big fortress, educate people, and implement the ability to detect bad actors that have breached your digital fortress.
But the rise of software supply chain threats is material for almost every organisation these days. ENISA (The European Union Agency for Cybersecurity) sees software supply chain threats as the top cybersecurity risk for the next five years. [1]
Just like traditional manufacturing, software development leverages supply chains to build more and more complex and useful solutions. There isn’t software that we use today that has a complex and potentially not well managed supply chain of building blocks. Bad actors have realised that attacking global software supply chains can have such a high upside that it is often worth months or years worth of work and lying in wait.
While details are still being analysed of the recent XZ compromise [2], it is a perfect example of the threats faced. It appears a state sponsored actor worked for two years to build up enough trust to put a backdoor into the most widely used server operating system. If it had been left undetected for long enough, state sponsored bad actors would have had the ability to secretly log into most servers in the world and perform further compromised actions. But this one threat was detected early enough to limit the potential damage.
The XZ incident is just the tip of the iceberg. Socket, a leading open source security solutions firm, detected 1,765 supply chain threats in March 2024, and increase of 56% the previous month [3]. The area is evolving so quickly that traditional solutions to understanding and categorising the threats are breaking down [4], just when organisations are attempting to identify and understand these type of threats.
The outcomes the attackers are looking for are varied. They range from basic “malware” that tries to steal computing power for free, to ransomeware attempting to cripple business operations and hold them to ransom, to data exfiltration and attempting to harvest customer information for nefarious purposes, to patient state sponsored cyber threats trying to gain back doors to support long term cyber warfare objectives.
While this threat is material, we have typically found when performing technical and cybersecurity due diligence on organisations, many of them don’t have the basics in place to ensure that their open source software supply chain is secure, or have sufficient controls in place to be able to detect exploitation of compromised software. Many organisations have low awareness of this rapidly evolving threat space and how best to mitigate and manage these risks. Because of the significant risk in the context of M&A, we often work with our clients and targets to recommend uplift in this area in order to mitigate risks.
As a part of our cybersecurity due diligence, we examine the organisations overall cybersecurity posture as well as deep dive into the security of the software development process, guaging the organisations capability to detect software supply chain threats and other areas of cybersecurity risk. We make recommendations around capability uplift in order to identify, respond and recover from cybersecurity threats.
Reach out to us at CTO Labs and we can discuss how we can help you identify these risks and other technology risks that can pose a material risk or constrain the growth of your investments.
Book a time now using the button below - or contact us by phone / email using the details given.