A supply chain is a network between companies and suppliers to manufacture and distribute a product to an end buyer. Car manufacturers will have a supply chain that includes parts manufacturers, raw materials, shippers, distributers and dealerships in order to deliver new cars to consumers. Similarly, large retailers have networks of manufacturers, warehouses, distributors, and physical stores through which they deliver goods to buyers.
“Supply chain” is a bit of a misnomer. Instead of being linked, like a chain, the supply chain as we know it is more of a network—a collection of disparate services that work together to achieve an end goal. Small anomalies in that network can cause unexpected ripples through the connected dependencies, creating delays and confusion. This is why modern companies have entire departments that focus on nothing but optimizing and managing their complex global supply chains. Even so, the pandemic has exposed the brittleness of these networks that have largely been optimized for low cost rather than resiliency.
Supply Chain Disruptions
Supply chain disruptions happen when events occur that impact the production or distribution of goods and services within a supply chain. Typical disruptions include forecasting and inventory errors, unforeseen surges in consumer demand, customs delays, political events. Major weather events can disrupt our flow of goods. And while these occurrences happen all the time, right now multiple disruptions are combining and compounding to create an unprecedented, continued supply chain disruption.
What is the Software Supply Chain?
Software is called “soft” because it’s made of malleable ideas. It’s built in a networked fashion amongst multiple people and copied and deployed regardless of any physical supply. It’s not a material thing like a car or your computer. So, what’s the software “supply chain” if there aren’t any raw goods or materials?
It’s the process of developing, compiling, deploying, and installing software that starts with the software developers and ends with the person or system running the binary executable software in their production environment. For Henry Ford, it would be a diagram of his car production process tacked up on a wall so he could find places that an industrial saboteur might sneak in and install a magical listening device to steal the secrets of his future customers.
The Liongard software supply chain is the process that moves the code from the minds of our software engineers into source control, on to a test server, on to a deployment server, and finally into its runtime container at AWS or the hosts of our on-premises agents.
Why Understanding the Software Supply Chain is Critical for Security
Attackers wish to gain control of as many computing environments as they can with as little effort as possible. In many cases, they behave like businesses with their own revenues and costs to manage. Sometimes, they are nation states willing to play a long game of quietly gaining access to others’ resources and information, and then lurking without attracting attention. Infiltration of someone else’s large and trusted software supply chain is a very efficient way for them to increase revenue (or accomplish other objectives) while lowering their costs. Inserting their code into someone else’s code is a powerful way to gain the trust it requires to gather data, control systems, and move both laterally and vertically across targets.
These threats are real and impactful. In December 2020, SolarWinds, a maker of network monitoring and management software, was the victim of a successful supply chain hack against its Orion product. The attackers compromised SolarWinds’ Orion software build process and update servers that host their software downloads, and inserted malware into SolarWinds’ Orion code. The malware was automatically downloaded to their customers’ hardware where it then provided access to the attackers. The ramifications for SolarWinds are starkly visible in the performance of their stock—a 40% overnight drop in its value.
Clearly, we must defend our software supply chains not just for our own good, but for our partners and their reputations as well. Unfortunately, unlike physical supply chains, software supply chains are invisible digital processes that can be challenging to see and understand. The first step in defending software supply chains is to understand them.
Software is ideas. Even in the best of circumstances, people have difficulty transmitting ideas without changing them. Recall the childhood game of telephone where kids whisper a message one to another around a circle and find it hilariously different at the end than the beginning. The same thing can happen with software, with many fewer laughs. In fact, software supply chains are optimized to minimize these miscommunications because they usually manifest as bugs that hurt the commercial success of the software company. These optimizations consist mainly of source control systems, which mediate communications between engineers, and automated build and deployment systems (aka Continuous Integration / Continuous Deployment or CI/CD) that streamline compilation and delivery of binaries onto test and production servers.
These optimizations minimize cost and maximize speed, similar to physical supply chains, which in both cases is great for the bottom line of the business. However, they don’t address security and resiliency. As we’ve seen during the pandemic, physical supply chains optimized for low cost and high speed are not good at handling disruptions. They were never built for resilience, which can be at odds with optimizing for day-to-day costs.
Likewise, software supply chains have most often been optimized for the convenience and speed of the engineers rather than security and resilience, not because engineers are reckless people, but because the business and their management and shareholders value speed of deployment, not security of the supply chain. For example, the source code control system may not require two-factor authentication because that is sometimes a feature for which the source code control system vendor charges more and that slows down the engineers or increases the complexity of their automated systems. The infrastructure of build and deployment servers is often optimized for low cost and ease of access rather than security and high availability. This focus on cost and speed as the only variables that matter is why we have insecure software supply chains. This has to change.
However, there is an indispensable first step we must take, which is to understand the nuts and bolts of our supply chain. We need to know every detail of the processes that move the bits from conception to deployment. Surprisingly, many software companies do not know these details. They have outsourced software development teams to third parties in different countries. They’ve subscribed to cloud services and other third parties that automate testing and deployment and production runtimes. They incorporate free and open-source software into their codebase without always knowing its provenance. Step one is to gain a good understanding of the layout and interconnections of this complicated supply chain. Step two is securing the software supply chain.
Read Part Two: How Liongard Secures the Software Supply Chain
Want to know more about Liongard? Schedule a platform walk-through today.