Software Supply Chain Attacks: How vs. What
In this episode, ReversingLabs Field CISO Matt Rose explains why it's key for teams to understand the process by which supply chain attacks happen — and the results of those attacks.
-Blog: 10 software supply chain attacks you can learn from
-Blog: Supply chain security: Is technical debt weighing your team down?
-Related ReversingGlass: Application Hacks vs. Software Supply Chain Hacks
MATT ROSE: Hi everyone, welcome to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is "How versus What," and what I mean by that is how are software supply chain attacks happening versus what are they? And that may seem a little confusing up front, but when you think about software supply chain attacks, it's typically around malware.
And finding malware within a package, within an open source package, a complete piece of software. But I want to put a little different lens on it to have a complete approach to software supply chain security. And just like I always do, I want to put a little color commentary, a little obscurity in here.
You're probably wondering what the heck I'm doing here, but this is what I'm doing right now. So I always want to use some pop culture references. The obscurer, the better. So I don't know if people are familiar with The Watchmen. One of the characters in The Watchmen was Dr. Manhattan. His real name was John Osterman, Dr. John Osterman. He was an atomic physicist that had a lab accident and morphed into this omnipotent being of Dr. Manhattan, the big blue guy over here. So again, crazy analogies. But this, over this side, is the "How." And this is the "What." So thinking about this, this is how this happened. This is how John Osterman became Dr. Manhattan, which is the "What" and we're going to do a little mapping here where How versus What, which is up here. So how is gamma radiation was the whole atomic accident was Dr. Manhattan, but this is where from a software supply chain lens, the how of malware compromising your applications is through tampering,
secrets manipulation. So you basically allowing people to check things in. Unknown changes and being able to identify unknown changes via Diffs of one release to the other, seeing what's changed. And then even having that holistic approach to understanding everything's in there, all the ingredients,
which is your SBOM. So these are the research areas. This is how something is happening. These are the activities that people have to go through. Where the What is the malware itself, but I'm gonna let everybody in on a little secret here. Malware is typically something new. And what I mean by that is novel malware.
It's never been seen before. So if you're not looking for certain things, it's not as easy as just grepping a code base for malware.dll or malware.java or something like that. It's not that simple. Most of the time, malware has a certain signature, a certain forensic path that it takes to become malware and execute itself.
And the best way for organizations to be secure in their software supply chain is to do the proper research. Is to figure out the how, which is basically identifying was my package, my signature tampered with? Were there secrets compromised that potentially gave someone access to check something into a source code repository?
Did something drastically change from one release to another in terms of files changing, files being updated, files being added? And then there's always the question of the SBOM, and an SBOM that is basically comprehensive to the entire package would have been a lot easier for organizations to recover from Log4j if they had an SBOM that listed everything for every application, instead of spending time in a war room figuring out where Log4j existed within their whole application portfolio.
But going back to my references, if you have never heard of Watchmen, it's a graphic novel. It is a cult classic and Dr. Manhattan is one of the main characters in it. So if you have free time and you're into graphic novels and you haven't heard of it... well, if you're in for graphic novels, you've probably heard of The Watchmen.
That's my food for thought today. So when you're thinking about software supply chain security, to have a comprehensive approach, you need to know how things are happening and what they're producing, the process and the result. I'm Matt Rose. Hope you enjoyed this episode. Have a great day, everybody.