720-891-1663

Return to the list of client alerts

Software Supply Chain Risk

Those of you who know me know that I can really get on a roll when it comes to Secure Software Development Lifecycle or SSDL.  One piece of SSDL is managing your software supply chain.  Here is why I get so worked up over it.

Most companies do NOT have an effective software supply chain management process.  I can almost bet yours does not and this post will likely prove it.

The Apache Software Foundation has released a patch for a vulnerability in the Apache Struts web application framework that they are rating critical and that has a CVSS risk score of 10 out of 10.  

Can’t get a lot more critical than that.

After reading this, you might be telling me “We don’t develop software so we don’t have a problem”.

Alternatively, you  might say that we don’t use Apache Struts.

But, are you sure?

Do you use Cisco software?

What about VMWare?

Or Atlassian development tools?

How About Hitachi database products or IBM SANs?

Or maybe Oracle Financials?

Suffice it to say that you probably do not know if you are using Apache Struts.

How do you know?

For internally developed software, the process is (relatively) easy.  Religiously document every third party product that is used on each software product that you develop.  This includes free software downloaded from the Internet and commercial software that you buy.  This includes software that is integrated into your product, software that is used to manage your product and software that runs on the platform along side the operating system.

You need to do this for each software package that you develop.

For software that you buy, it becomes a little more tricky.  You should be asking the vendor for a Bill of Materials or BoM.  A BoM will list all software that is installed as part of the deployment of that product from the vendor.  You may have to be persistent.  You could hold the sale hostage as sales people will become very attentive when they fear the loss of their commission.  You could put that requirement into the contract/license agreement.  Some vendors either won’t care or can’t do it.  There is software that will help identify major third party packages like Apache Struts, but those tools are not perfect.

We live in an imperfect world.

Once you have that BoM, you now need to match that against the newly announced vulnerabilites that are published at least every week.  That way you can identify which software packages and which systems need to be patched.  While you may need to wait for your vendor to release a patch, there may be other ways to mitigate the problem.  At least you know what you are dealing with.

If Equifax had done this, we would not be talking about the Equifax breach today.

Source: https://www.riskbasedsecurity.com/2018/08/watch-out-another-nasty-apache-struts-vulnerability-has-been-disclosed/