Cryptography: A Forgotten Part of Software Supply Chain Security

By Dr. Marc Manzano, general manager, cybersecurity at SandboxAQ and Ryan Hurst, SandboxAQ advisor [ Join Cybersecurity Insiders ]
745

Securing the software supply chain has become a top priority due to high-profile breaches and increasing regulatory scrutiny. International agencies like CISA and NIST emphasize the urgent need to address how we inventory and manage the software and services we rely on. The complexity of modern software systems and the potential for widespread impact from a single compromised component drive this growing focus. Recent incidents, such as the SolarWinds, have shown how interconnected systems can be exploited. The global outage related to CrowdStrike’s software update shows how a single mistake can quickly cascade across the entire global economy. Regulatory bodies globally, including the European Union through the EU Cybersecurity Act, are actively working to mitigate the supply chain issues that enable these incidents.

As security leaders, we can’t forget a critical part of the software supply chain: cryptography. Implementing comprehensive standards for cryptography usage, key management, and continuous monitoring can help effectively tackle these challenges.

The Problem: Inadequate Cryptographic Management

Modern software relies on multiple third-party libraries, open-source components, and numerous dependencies. This interconnectedness can hide vulnerabilities and create security blind spots, which is also true for these components’ cryptography. According to the Verizon Data Breach Investigations Report (DBIR), leaked credentials—often synonymous with leaked cryptographic keys—are among the most common attack vectors. These machine and workload keys, if compromised due to inadequate key management practices, can grant attackers unauthorized access to sensitive systems and data.

The lack of automated tooling to efficiently manage the myriad of software components often leaves organizations unaware of the deep security risks associated with their software dependencies. Outdated or insecure libraries, such as those using broken cryptographic algorithms or outdated protocol versions, may be integrated into critical systems. This makes it difficult to fully understand and address the risks posed by poor cryptographic practices in your software supply chains and deployments.

‍Ensuring that third-party vendors adhere to modern cryptography management practices is essential for mitigating these risks. Widespread use of weak cryptography can expose the entire supply chain to catastrophic vulnerabilities. The Heartbleed bug in OpenSSL, used by many third-party providers, exposed millions of systems to data breaches, underscoring the need for cryptographic standards and monitoring for them in your supply chain. The Debian OpenSSL bug, where a change in the code led to predictable keys, affecting millions of SSL/TLS keys, highlighted how critical it is to ensure robust and secure implementations. Additionally, regulatory requirements such as HIPAA mandate the encryption of ePHI, with non-compliance leading to significant fines, as seen in the $16 million Anthem Inc. settlement. This highlights the critical need for robust cryptographic management to avoid legal repercussions and ensure compliance.

Mitigating Hidden Threats

There are many vulnerabilities that affect cryptography specifically, from insecure cryptographic libraries and implementations to inadequate monitoring and outdated cryptographic protocol versions.

Ensuring compliance with good cryptographic management practices, robust key management, and comprehensive reporting are the first line of defense. Regular audits, integrated into procurement processes, help maintain up-to-date and effective cryptographic practices. Continuous scanning and threat intelligence feeds keep organizations ahead of emerging threats. Organizations must also stay informed about changes in industry standards and update their practices accordingly to ensure ongoing compliance. Recognizing the importance of these practices, the White House’s Executive Order on Improving the Nation’s Cybersecurity has mandated the discovery and inventory of cryptographic keys to bolster software supply chain security.

Operational Continuity is another critical aspect of securing the software supply chain. Disruptions caused by outdated certificates, cryptographic migration issues, or attacks significantly impact business operations. For example, the Microsoft Teams outage in 2020, caused by an expired certificate, demonstrated how failures in certificate management could take down business-critical services. This incident highlighted the importance of maintaining robust cryptographic management practices to ensure operational resilience and reduce the risk of business disruptions.

Supply chains often involve the exchange of sensitive data and proprietary information between partners. Without modern cryptography management measures in place, it is challenging to reduce exposure to cryptographic vulnerabilities or to provide evidence for compliance with cryptography-related guidelines. The Codecov attack in 2021, where attackers manipulated scripts to exfiltrate sensitive data, highlights the necessity of secure cryptographic practices to protect intellectual property and maintain data integrity. This breach demonstrated how vulnerabilities in the supply chain could be exploited to access and steal valuable information, emphasizing the criticality of having robust cryptographic measures in place.

Robust Key Management

Implementing automated key rotation and revocation processes is essential to reduce the risk of key compromise. However, focusing on last-mile key management is equally important. This means ensuring secure key distribution and usage at the endpoint, where credentials and keys are often most vulnerable. Many organizations fall short by focusing solely on “secret sprawl”—centralizing keys and credentials but then distributing them across deployments without proper controls. This narrow focus leads to “secret spray,” increasing the risk of key leakage and unauthorized access. A stark example of the consequences of inadequate last-mile key management is the Storm-0558 incident, where Chinese hackers were able to forge authentication tokens by exploiting poorly managed cryptographic keys. This breach highlighted how failures in endpoint key management can lead to significant security incidents, emphasizing the need for robust last-mile key management to close the loop on end-to-end security.

Additionally, employing tools that provide real-time monitoring and alerting for cryptographic missteps and policy violations is crucial. Similarly, requiring vendors to maintain and regularly update Software Bills of Materials (SBOMs) helps ensure transparency of all components. SBOMs provide a detailed inventory of all software components. However, they do not capture the cryptography they use, making it hard to identify and address cryptographic vulnerabilities when they become known. This is where discovery tools come into play. They help you hold vendors accountable for their security promises, discover how they use cryptography, and how you use the cryptographic capabilities of their products.

The Solution: Unified Cryptography Management

Integrating robust cryptographic management into the core processes of software development and operations is crucial for addressing these challenges. A unified cryptography management platform ensures all software components adhere to stringent cryptographic standards. This platform should automate key management, monitor cryptographic activities, and ensure compliance with industry standards and regulatory bodies.

Conclusion

Securing the software supply chain demands a proactive approach to cryptographic management. Organizations should adhere to comprehensive standards and implement robust key management practices. Maintaining detailed usage inventories, continuous monitoring, and thorough reporting are also essential.

Ad

No posts to display