How to assess and manage commercial software risk

Five years ago, we didn’t hear much about software supply chain attacks. Today, they’re commonplace. Barely a week goes by without news of malicious or compromised packages tempting developers on open-source repositories such as npm, GitHub, and Python Package Index (PyPI). But although it can seem at times that the world runs on open source, businesses really run on commercial software. And that’s where the attackers are going. In fact, proprietary, commercial software platforms pose a much greater risk to organizations than open-source software. That's because of the trust assigned to software publishers by their customers, but also because of the complex nature of third-party software supply chains, at a time when third-party SaaS providers and cloud-based infrastructure are proliferating.

The broad outlines of the software supply chain security problem are visible in the 2024 Verizon Data Breach Investigation Report (DBIR), which reports that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches Verizon documented. That's a 68% jump from last year’s report. The increase was serious enough that Verizon introduced a new metric for tracking the growth of exploitation of vulnerabilities and software supply chain attacks. Additionally, Verizon called on organizations to “start looking at ways of making better choices” about which software providers they choose to work with “so as to not reward the weakest links in the chain.”

Of course, “making better choices” is easier said than done. Here's a break-down of the costs of software supply chain attacks on commercial third-party software — and how organizations can assess and manage the risks found within commercial software use.

Get the white paper: Assess & Manage Commercial Software RiskPlus: See the related Webinar

The cost of commercial software breaches

In software supply chain attacks on commercial software, threat actors exploit the good reputations of commercial software vendors, and the trust extended to them by their customers, in order to introduce malicious code into or otherwise tamper with enterprise networks and systems.

One of the most notorious examples of this is SunBurst, the 2020 software supply chain attack on SolarWinds. In that incident, nation-state threat actors compromised the build and code-signing infrastructure of SolarWinds’ Orion software, inserting a malicious backdoor that was then disseminated via a signed Orion software update to thousands of its customers, including several Fortune 500 firms and U.S. government agencies.

But SunBurst wasn’t a fluke. In 2023, two more attacks of the same scale caused massive ripple effects along the commercial software supply chain. First, the North Korean threat group Lazarus compromised the endpoint client of 3CX, a VoIP software vendor, in a first-of-its-kind cascading attack that delivered malware to thousands of its customers. Additionally, last year’s supply chain attack on Progress Software’s MOVEit file transfer service impacted 77 million people worldwide.

The impact of such compromises can be difficult to quantify. On top of the loss of customer data and brand trust, these attacks also have fiscal and legal costs for companies — even if the software targeted technically isn’t their own. It’s believed that attacks such as those on SolarWinds, 3CX, and Progress Software could cost stakeholders anywhere from $36 million to $332 million. Also, existing and proposed legislation in both the European Union and the United States seeks to hold businesses accountable for attacks that lead to customer data loss.

For example, the EU’s Digital Operational Resilience Act (DORA) calls for covered organizations to gain visibility into a broad range of commercial third-party software risks. DORA specifically says that businesses shall “implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates.”

This combination of escalating threats and tightening regulations and oversight make it essential that organizations step up their game in assessing and managing commercial software risks.

Building a security stack that goes above and beyond

The first step that organizations looking to secure their commercial supply chains need to take is to gain high-quality insights into the makeup of the software products they use. However, to do so, organizations need the help of a mature security stack that is capable of assessing software risks.

Requesting software bills of materials (SBOMs) from vendors is one way organizations can achieve more software transparency. SBOMs serve as an ingredients list for what’s inside the software package. However, they do not offer context into how internal software components correlate to software supply chain threats. They do not identify malware, tampering, suspicious behaviors, or similar threats. Additionally, today’s software packages are far from small, with it becoming increasingly common for these products to be in the 10GB range, comprising thousands of components upon millions of files.

In addition to gaining high-quality visibility into a software package, organizations need to be able to mitigate the risks present in the commercial software products they are using. Existing tools used to check third parties, such as penetration testing and vendor security questionnaires, leave huge gaps in software supply chain security coverage and are unable to spot compromises. According to Gartner, 83% of leaders in third-party risk management still find risks embedded in vendor applications, despite already having a security tool stack that includes things such as SBOMs, pen testing, and security questionnaires.

Picking the right security tool

If organizations want to better handle the risks posed by commercial software products, they need to adopt modern security tooling that can provide a comprehensive overview of any risks and threats.

ReversingLabs Spectra Assure is a software supply chain security platform that gives organizations the right tools to properly assess and manage the threats posed by the commercial software products they use. Spectra Assure is able to deconstruct any commercial software package at the binary level — no matter the size — giving your security team the visibility it needs to take action.

Spectra Assure: Spot threats in commercial software

Spectra Assure enables your organization to assess commercial software without requiring access to the vendor’s source code, giving you critical insights into the integrity of software and updates prior to deployment. Those insights are driven by Spectra Assure’s unique capabilities, including the ability to scan large and complex files rapidly (a 1 GB file can be scanned in as little as 5 minutes). Spectra Assure can also recursively unpack more than 4,800 different file types, including DLLs, containers, and post-build artifacts, correlating that information with more than 3,000 threat indicators and ReversingLabs' largest-in-the-world searchable repository of malware and goodware, which contains more than 40 billion files.