In general, the more secure a system is, the less usable. Within the enterprise, where security is paramount and employees can be forced to jump through security hoops, usability can afford to be a secondary concern.
But in an open source ecosystem, usability must come first, largely at the expense of security. After all, security controls that limit the ability of authors to contribute, limit the ability of the ecosystem to thrive. While most ecosystems have processes in place to react quickly once a security threat has been identified, the wide popularity of open source means tens of thousands of downloads may have occurred prior to the threat being removed.
With 90%+ of modern applications built primarily (80%+) with open source software, the digital economy is precariously exposed to threats arising within the software supply chain.
Recent attacks and threats highlight the fact that for consumers of open source the message is clear: “user beware.” For example:
- Passwordstate enterprise password manager’s “In-Place Upgrade functionality” was compromised to distribute malicious updates to Passwordstate users.
- Hackers set up a custom Python mirror at pypihosted.org, which served malware infected popular packages when developers used compromised requirements.txt in GitHub repositories to install components.
- Operation Synergia identified more than 1,900 IP addresses associated with ransomware, Trojans, and banking malware operations.
And while not specifically an open source attack, the Change Healthcare hack in Feb 2024 serves to highlight the interconnectedness of the digital supply chain since it brought the US healthcare system to a standstill, and drove many financially strapped medical practices bankrupt. Rippling outward, this single attack was able to paralyze 20% of the US economy, and will cost billions of dollars before the system recovers, if it ever does.
The US government has been aware of this trajectory for years, and has been encouraging software vendors to take a proactive approach to securing their digital supply chain since the release of Executive Order 14028 in 2021 by offering them both carrots (access to lucrative US government contracts) and sticks, i.e., suing companies and their executive officers that distribute compromised software.
It’s no secret that the software industry has both chronic and systemic security problems. It’s also hard to dispute that those problems aren’t getting worse, with 91% of organizations the victim of a digital supply chain attack last year. Most companies treat it as a cost of business at this point in time. In fact, you’d be hard pressed to find an enterprise that hasn’t purchased cybersecurity insurance, and a recent survey shows that only 27% of SMBs have yet to purchase one.
But the US, as well other governments worldwide are hoping for better innovations than cyber insurance.
Their latest effort to help guide the software industry is entitled “Secure By Design,” which encourages a security-first approach to creating software and emphasizes proactive measures over reactive responses. By stressing that the security burden should be shouldered by software companies, not their customers, the Secure By Design approach hopes to reduce the chances that customers will be compromised by misconfigured software, vulnerability patching, or other common issues.
The reality today, however, is that even software vendors that sell security applications typically have incompletely incorporated security into their software development process. It will take time and resources to ensure, for example, a Solarwinds type of hack cannot occur because the vendor has implemented a hardened build system.
Unfortunately, smaller vendors lack the time and resources to close gaps with their better funded peers. As a result, the US government is recommending that the software industry picks up the slack by creating offerings that can make every software product safer, no matter the size of the vendor. We’ll explore some of these offerings in this post.
What is Secure By Design and Secure By Default?
With Secure By Design, the Cybersecurity and Infrastructure Security Agency (CISA) is advocating that software products be built in a way that reasonably protects against malicious cyber actors. Similarly, Secure By Default advocates for software products to be preconfigured out of the box as resilient to common exploits, rather than placing the burden of security on the customer.
Some of the key recommendations for software vendors include:
- Implementing a defense-in-depth approach to ensure bad actors can’t compromise or obtain unauthorized access to your software development systems.
- Using a tailored threat model during product development (such as that provided by SLSA) to address all potential threats, including threats that may arise once a product is deployed.
- Taking a holistic approach to “designing in” security before the first line of code is written, rather than bolting it on later in the software development process.
These practices have long been standard Secure Software Development Framework (SSDF) principles, but Secure By Design goes one step further, advocating for software vendors to “prioritize the features, mechanisms, and implementation of tools that protect customers rather than [prioritizing] product features.”
This last requirement is an exceptionally difficult ask of software vendors in competitive markets. While Microsoft appears to be prioritizing security above all else, most software vendors simply don’t have that luxury. Implementing security over features (or even just coding a feature securely) not only increases development costs, but also leaves the door open for someone else to bring a new feature to market first. The hope is that prioritizing security will pay dividends in brand recognition, as well as lower maintenance and patching costs. But hope is not a plan.
We believe the only way for software vendors of all sizes to plan to be successful when adopting a Secure By Design approach is to outsource the root cause of the majority of security issues: their digital supply chain.
The philosophy behind outsourcing the digital supply chain is exemplified by a quote in “Secure By Design,” namely: “The software industry needs more secure products, not more security products.”
In other words, traditional AppSec products are the reason we are where we are, with twice as many software supply chain attacks in 2023 than the previous three years combined. The last thing organizations need is more security tools that generate spurious alerts, suck up developer time investigating alerts and/or fixing vulnerabilities that don’t affect the application, or that lack insight into runtime impact and exploitability. A different approach is required, starting with the weakest links in your digital supply chain, which are the open source ecosystems you incorporate into your application.
Open source ecosystems are not only vulnerable by design, but far too many organizations prefer to ignore the implications of their exploitability rather than deal with the implications. In fact, 81% of developers admit to knowingly shipping their applications with open source vulnerabilities rather than deal with:
- Breaking changes that arise when updating dependencies.
- Getting security and compliance approval, which can take days or even weeks before they can use new dependencies/ new versions of dependencies.
- Missing their deliverable deadlines.
Outsourcing makes securing the digital supply chain the responsibility of a third party, thereby freeing up internal resources to focus on meeting their deliverables (i.e., features) that help you close more business. And it’s far cheaper than hiring additional internal resources and/or overhauling your software development process.
Conclusions: Trading Off Software Security Versus Market Share
While security is always a line item on every RFP, it’s rarely the key buying criteria. Customers simply assume that the software they are purchasing is secure. The Secure By Design approach is intended to make that assumption explicit by asking every software vendor to proactively build into their development process the kinds of security controls that help ensure software products are resilient to exploitation, and can be easily updated as security vulnerabilities are found.
Unfortunately, only the largest software manufacturers can afford the time and resources required to implement a Secure By Design approach. Other vendors will be hard pressed to afford the cost. Instead, they should consider the benefits of an outsourced digital supply chain, which include:
- Increased Revenues – redirect the 30% of developer time currently spent on maintenance toward closing competitive gaps that increase opportunity win rates.
- Reduced Risk – eliminate the barriers to updating dependencies, reducing vulnerability security threats, while avoiding the risks that come with cybersecurity burnout.
- Lowered Costs – gain a single throat to choke rather than individually managing the hundreds of third-party open source components in the software supply chain.
Without such an approach, many software vendors may find themselves locked out of lucrative government contracts, and facing a backlash from their customers, as well.
Next Steps
Read The Business Case For An Outsourced Software Supply Chain to better understand how you can quantify the benefits of an outsourced digital supply chain.
