Programming code on screen showing web supply chain attacks

Stopping the Spread of Poison – Web Supply Chain Attacks

Cybercrime never sits still.

The criminals who orchestrate such attacks are always looking for weak spots, low-hanging fruit, and the chance to make a quick buck. So, imagine the scenario if criminals had an easily scalable, industry-agnostic method of attack that could reap maximum rewards with a minimum of effort. Welcome to the world of web supply chain attacks.

Arguably the most infamous, and widely reported example of a web supply chain attack, occurred back in early 2020 – the SolarWinds attack. The attack involved hackers compromising the infrastructure of SolarWinds (a company that produces a network and applications monitoring platform) and then using that access to produce and distribute malware to the users. In this case, users included major US government departments and companies. The fallout from this attack proved to be extensive. There were US security concerns that Russia masterminded a state-sponsored attack on the US which led to President Biden issuing an Executive Order on bolstering the nation’s cybersecurity – followed closely by a similar stance by the UK government.

Over two years have passed since the SolarWinds attack, but it continues to send ripples across the world of cybersecurity. Whilst it increasingly looks like it was indeed a nation state attack, this attack proved to be a huge wake-up call in the US and beyond, and certainly brought software supply chain attacks into public awareness – cyber criminals have quickly learned to adapt this approach to attack other supply chains. By targeting companies with a strong web presence, the so-called ‘web supply chain attack’ has emerged as a key growing attack vector in living times.

The JavaScript journey

Over 95% of the world’s websites use JavaScript which includes the websites of all Fortune 500 companies. With the advent of a JavaScript open-source community (nearly fifteen years ago), there was a proliferation of open-source projects. This saw the birth of ‘code sharing’ with millions of reusable code pieces helping to fuel a dramatic growth in web, mobile, and desktop apps – the use of third-party code became standard in web development.

And the web was transforming, with relatively simple static websites turning into the dynamic pages we see today – across services such as online banking, e-commerce, and even streaming. Rather than implement their own chatbot or analytics tools, companies purchased such services from third parties and integrated them directly into their websites – approximately 70% of all the code running on the average website today comes from third parties. This is a red light for security. Within a website, all third-party code has precisely the same permissions as any code developed internally. If a chatbot tool starts capturing and leaking credit card information, nothing can derail it. This is a web supply chain attack – breaching a third-party service provider, injecting malicious code, and spreading the ‘poison’ to every website that uses it.

What can be done?

Dealing with web supply chain attacks requires an in-depth look at third-party code usage. Third-party code is embedded in the core fabric of web development and is still one of the most valuable assets for competitive product development. It is possible to mitigate the risks associated with externally sourced code once companies learn how to safely integrate it. Security and development teams need to reduce code dependencies wherever possible, using technology to provide visibility and control over the behaviour of all code running on the client-side of their websites – the browser or end-user device. To maximise security levels, businesses should do this continuously at runtime, constantly monitoring user sessions for examples of malicious behaviour.

Welcome to the world of DevSecOps, an approach that seeks to resolutely integrate security into modern app development and deployment. DevSecOps sets out to instill security controls throughout the entire software development lifecycle which can help businesses to regain visibility and control over their website supply chains – critical if web supply chain attacks are to be thwarted.

Whilst the SolarWinds supply chain attack hit at the heart of a nation’s government (and associated infrastructure) it also served to raise awareness of what is fast becoming the cyber scourge of modern times. With more and more organisations suffering from cyber-attacks via their supply chains, a robust defence needs to be deployed. The means to do so are available today thanks to DevSecOps.

Failure to act is not an option – the price to be paid is too great.