We believe that software supply chain security is one of the most critical national security risks facing governments worldwide and there is an urgent need to come together as an industry to address it. That’s why today, we’re launching a new research report on software supply chain security, which explores events like SolarWinds and Log4j, shares actionable insights for organizations, and other findings.
The report comes near the two year anniversary of the cyber attack on SolarWinds, which disrupted critical networks, actively exploiting nine federal agencies and about 100 private sector companies. The sophistication and scale of the attack were unprecedented and reportedly cost businesses and government agencies almost $100 billion.
Since the SolarWinds incident, governments and industry have made important strides in raising awareness and addressing software supply chain issues, however we continue to see a sharp increase in software supply chain attacks across almost every sector. In fact, Mandiant research shows software supply chain is now the second most prevalent initial infection vector into victim systems. Given the increase in supply chain attacks, critical infrastructure owners and operators should take measures to address related risks.
To help these groups along this journey, we’re sharing key findings from today’s report.
1. Take on additional open source security responsibilities
Over the course of the next several years, the frequency and severity of cyber attacks will likely continue to grow and increasingly focus on open source software, which means entities that benefit from the use of open source hold a greater responsibility in securing the supply chain.
While open source software is not uniquely risky, all software requires lifecycle management to ensure its security, but open source software management poses unique challenges since most of its upkeep is done by volunteers. This leaves organizations to take on a host of security responsibilities, including assessing the quality of dependencies they consume and ensuring they have the right mechanisms to receive and ingest new information on vulnerabilities discovered in the open source software they use. Log4j brought these challenges into focus when the community struggled to respond to the event and many organizations didn’t have the basic tools they needed to mitigate, or in many cases even assess, the problem.
We’re working to help address this in three ways — first, we published a step-by-step process to help practitioners address open source vulnerabilities and we continue to build and launch new tools to support this work. Second, we built new capabilities for cloud customers to help them manage open source risks. Third, we continue to invest in community efforts to improve open source security for the benefit of everyone.
Industry and governments have complementary roles to play in this space. Given the wide use of open source software across systems and sectors, we urge governments to consider additional investment in initiatives to improve the security of the ecosystem as a whole.
2. Supply-Chain Levels for Software Artifacts (SLSA)
Attacks such as SolarWinds and Codecov are fundamentally different in nature from traditional software attacks that either rely on code vulnerabilities or privilege escalation. That’s why typical security testing techniques such as fuzzing and static code analysis, and mitigation techniques like Zero Trust, don’t work. In response to these attacks, we’ve seen a heavy policy focus on generating Software Bills of Materials (SBOMs). SBOMs provide a point-in-time view of software composition which is useful to remediate vulnerable dependencies, but fails to provide any provenance information to detect build tampering, which was the root cause behind these attacks.
We’ve been working with others in the community to address these risks with industry’s Supply-chain Levels for Software Artifacts (SLSA) framework. SLSA is an open source framework for software supply chain security that includes standardized vocabulary and a checklist of controls and practices to prevent tampering, improve integrity, and secure packages and infrastructure. It’s been a requirement for Google’s production environment for almost a decade and organizations like VMWare, Red Hat and SUSE have also implemented it — while an increasing number of organizations are adopting at least some of these emerging security practices.
We believe the SLSA framework, if implemented properly, would substantially reduce every organization’s attack surface and strongly encourage all governments to incentivize its adoption. To help organizations better protect themselves, we’ve launched Software Delivery Shield, a new capability in Cloud that provides full end-to-end supply chain security.
3. A holistic approach across the ecosystem
One of the common themes across SolarWinds, Log4j, and others is that individuals and organizations flagged the discovery to the broader community to act, resulting in the community rallying to respond. However, this ad hoc system isn’t sustainable in the long term, we need a common strategy across government, industry, academia, and the open source community to better equip all stakeholders with the tools they need to immediately and effectively address software supply chain risk.
Consistent with recommendations we supported with the Cyber Safety Review Board (CSRB), and made in other government and industry forums, the strategy should center on three core pillars: 1) adopting best practices and standards for cyber hygiene; 2) building a more resilient software ecosystem; and, 3) making investments in the future. Working across all three pillars, we can both prepare for — and respond to — future attacks.
Our approach to supply chain security is rooted in a basic principle: we defend better together. We hope this report serves as a call to action for everyone to do more to learn from, and prevent, these attacks. Google is committed to continue doing its part to support these efforts and we look forward to partnering with others to drive more progress and help organizations, businesses, governments, and users stay safe online.