Practically in all business software: ERP, Accounting, Payroll, CAPM, etc. are used Open Source components
Synopsys audited the code of 1,700 commercial applications , 96% of which contained Open Source code. Above all, this footprint of free software is growing and, with it, the risk of introducing a security breach. A risk of attack by the software supply chain that was perfectly illustrated by the Log4j flaw.
87% of the source code bases studied contained known risks and vulnerabilities , a lack of updates which poses a risk to all the applications embedding the said components.
What is a supply chain attack?
A supply chain cyberattack is a sophisticated computer attack that aims to infiltrate a company’s systems through the suppliers or business partners it works with.
The goal is to compromise the products or services provided by these business partners in order to inject malware into the target company’s systems. Malware can be designed to steal confidential information, disrupt operations, or destroy important data.
This can happen when software vendors have not sufficiently secured their own infrastructure or software development processes. Hackers can also target software vendors’ contractors or suppliers to gain unauthorized access to the target company’s systems.
This can be very difficult to detect because cybercriminals can hide behind multiple layers of vendors or contractors, which makes tracking attacks very complex.
Why Software Vendors Use Open Source Components?
Software vendors use open source components for several reasons. First, using open source components saves software vendors time and money by not having to develop all of their software’s features from scratch. Open source components are pieces of code that have already been developed and tested by other developers, and are available for free or at low cost.
Additionally, open source components are often very well documented and have a large community of developers who can help troubleshoot any issues that may arise. This means that software vendors can benefit from great expertise and free or low-cost technical support.
Finally, open source components are often more reliable and secure than proprietary solutions because they have been developed and tested by a very active and engaged community of developers.
Lack of transparency
Publishers cannot communicate about the components they implement in their application. It is complex, because sometimes the updates do not have a perfect compatibility with the old version of the component.
This lack of transparency can expose your entire information system to flaws that could cause you to lose all your data, blackmail with 6-figure sums.
An Open Source component is like frozen food
You can either buy frozen fries ready to bake or buy potatoes. And there is more risk in the purchase of potatoes, because it will be necessary to handle frying.
Software publishers make the same calculation, either it’s better to do everything the same, or it’s less reliable or it costs too much.
80% of Developers, Though They Understand Their Responsibility, Say Security Isn’t Their Primary Responsibility
Palo Alto Networks – State of Cloud-Native Security Report
Most organizations are now digitally connected to hundreds of suppliers and vendors. However, weaknesses in a vendor’s security posture can allow a cybercriminal to gain access to the network and deploy malware.
When implementing the links you may have with your customers and/or your suppliers, cybersecurity is not the priority, it must work, and if possible as soon as possible.
When a company uses an IT service company for the implementation of a macro, a specific development or a customization in an ERP, its first question is not is it going to be secure? against hacker attacks. The first question is the price, and if the service provider adds 3,000 € for the support of a secure model, it is too often an option that we will see later.
This is what happened to the NBA through a third-party provider .
How to protect yourself from “Supply Chain” flaws
If the publishers do not carry out all the updates, the Outsourced DSI must manage the security around the application, failing to have a secure version of it.
The rules to put in place:
- Database protection (avoid editor passwords)
- Have secure passwords for everyone
- Have a good antispam to limit emails that try to analyze your computer
- Set up a recovery plan to manage this specific risk
The real flaw
The problem with cybersecurity is that it adds a layer to every action we take on a daily basis. Making these actions automatic and effortless starts with cybersecurity awareness training.
But each training must be adapted to the public, so the training of salespeople will have different functionality than the training of the accounting department or developers.
As a CIO, I suggest that you change your approach to risks and consider that each application is like a loaded weapon, which contains many internal flaws and which must be isolated.
Between the time I started this post, and the time of its publication, the reality of the flaws was further highlighted.
- Latest news March 30: IT Martena IT service provider to German companies victim of an attack via the Supply Chain.
- Latest news March 31: 3CX telecommunications system provider to 12 million users, victim of a supply chain attack.