8CIOReview | | JUNE 2023EFFECTIVELY MAINTAINING SOFTWARE DEPENDENCIESBy Derek Fisher, Vice President of Application Security, EnvestnetIN MY OPINIONHave you ever really thought about how software gets built? Many of us envision a team of software engineers and architects furiously working to develop features to be released to clients at a rapid pace. While this is mostly accurate, the reality is that these developers and architects are pulling in libraries and components from multiple locations to add to their own custom code in order to build a more robust product. These components and libraries are called "dependencies" because your software is dependent on them to function as expected. This is where a software supply chain comes into the picture. Although the term "software supply chain" can mean the full set of services and software being used, down on the lower levels of development there is a complex set of dependencies that are used to build specialization in the software. If you need help developing an authentication function for your Node.js application, leverage an authentication module that will provide you with the hooks to authenticate with Google or Facebook. Need to integrate an email function into your application? You can simply integrate an SMTP module to manage email transactions. Yes, you can develop these features yourself, but if the component already exists, there is no sense in reinventing the wheel. Especially with deadlines looming.Although this is a powerful and quick way to get features developed and into the hands of clients, it creates software soup that quickly becomes muddled which offers up opportunities for attackers to compromise a single dependency as opposed to the broader application. Furthermore, without the proper oversight for ensuring that the dependencies are free from vulnerabilities and are well maintained by the vendor, the application can be vulnerable without the organization being aware. This often leaves the organization scrambling to determine what their exposure is when a zero-day is announced, or a new vulnerability makes the headlines.The issues with the software supply chain have been evident in multiple attacks over the years. Probably no more so than with the attack on SolarWinds in 2020 in which case attackers were capable of injecting a malicious DLL (Dynamic Link Library) that was then sent to thousands of SolarWinds customers. The attackers were able to hide their tracks for months before being discovered. Although the overall impact was small, it was one of the most high-profile supply chain attacks and put many organizations on the defense. More recent attacks on the supply chain manifested in Okta's breach in December of 2022 where attackers were able to gain access to Okta's GitHub code repositories. No doubt this access could
< Page 7 | Page 9 >