As eCommerce websites continue to grow in popularity, so do the risks associated with online transactions. Cybersecurity threats such as hacking, phishing, and identity theft pose significant risks to both the website owners and their customers. In response to these threats, a variety of security tools have been developed to help protect eCommerce websites. Here are some of the top security tools for eCommerce websites:
SSL (Secure Sockets Layer): SSL is a standard security protocol that enables encrypted communication between a web server and a browser. It provides an additional layer of security by encrypting sensitive data, such as credit card information, during transmission. SSL certificates can also help to improve a website’s search engine ranking.
SiteLock: SiteLock is a cloud-based security tool that offers protection against malware, hacking, and other security threats. It scans websites for vulnerabilities and automatically removes malware, providing continuous protection for eCommerce websites.
CodeGuard: CodeGuard is a backup and restore service that protects websites from data loss and corruption. It automatically backs up websites and provides easy restore options in case of data loss, hacking, or accidental deletion.
TrustedSite: TrustedSite is a security certification service that verifies the security and trustworthiness of eCommerce websites. It provides a trust seal that can be displayed on the website to assure customers that the website is safe and secure.
Other notable security tools for eCommerce websites include payment gateways such as PayPal, 2Checkout, and Stripe. These payment gateways offer additional layers of security, such as fraud detection and prevention, to protect both the website owner and their customers.
It is important to note that no security tool can guarantee 100% protection against cybersecurity threats. However, using a combination of security tools can significantly reduce the risks associated with eCommerce transactions.
SSL (Secure Sockets Layer) certificates are critical for website security and have become a significant ranking factor in Google’s search algorithm. Websites with SSL certificates are more secure and provide better user experience. Google has been pushing for HTTPS encryption for years, and they’ve made it a ranking factor since 2014. In this blog post, we’ll explore the impact of SSL on SEO and how it affects website ranking.
SSL certificates provide encryption for data transmitted between the website and the user. This encryption makes it difficult for hackers to steal information and improves website security. SSL also increases user trust and confidence in a website. Google favors websites that prioritize user experience and security, and SSL is an excellent way to improve both.
Moreover, SSL is a ranking signal that affects search engine optimization. Google has publicly stated that SSL is a ranking factor, and websites that use HTTPS encryption are likely to rank higher than those that don’t. Google wants to ensure that users have a safe browsing experience and is rewarding websites that prioritize security.
Lastly, SSL can impact on SEO by providing a better user experience. Websites that use SSL certificates load faster, have lower bounce rates, and generate more traffic. These factors are essential for SEO and can improve a website’s ranking in search results.
In conclusion, SSL certificates have a significant impact on SEO. They improve website security, increase user trust, and help websites rank higher in search engine results. Websites that prioritize SSL and provide a secure browsing experience will have an advantage in SEO and user experience.
SSL (Secure Sockets Layer) is a standard security protocol that enables encrypted communication between a web server and a browser. An SSL certificate is a digital certificate that authenticates the identity of a website and encrypts data transmitted to and from it. SSL certificates are essential for online security and should be installed on every website that collects user data or processes sensitive information.
SSL certificates provide several benefits to website owners and users. Firstly, they protect sensitive data from interception by hackers or cybercriminals. This is especially important for websites that handle financial transactions, such as online banking or e-commerce sites. Secondly, SSL certificates increase trust and credibility with users. When visitors see the padlock icon or HTTPS in the browser address bar, they know that their connection is secure and that the website is legitimate.
In addition, SSL certificates can improve search engine rankings. Google and other search engines give preference to websites with SSL certificates, as they consider them more trustworthy and secure. Furthermore, SSL certificates are mandatory for compliance with regulations such as the GDPR (General Data Protection Regulation) and PCI DSS (Payment Card Industry Data Security Standard).
In summary, SSL certificates are essential for website security, trust, and compliance. They provide encrypted communication, protect sensitive data, improve search engine rankings, and help website owners comply with regulations.
Code Signing SSL is a digital certificate that is used to sign software code and scripts to ensure their integrity and authenticity. When a code signing certificate is installed, it adds a digital signature to the code, which verifies that it came from the original author and has not been tampered with in any way. This helps to protect users from malware and other malicious software that may be distributed under the guise of legitimate applications.
In this blog post, we will walk you through the installation process of Code Signing SSL on a Linux Apache server.
Step 1: Purchase a Code Signing SSL certificate
The first step is to purchase a Code Signing SSL certificate from a trusted Certificate Authority (CA). There are many CAs available, such as Comodo, DigiCert, and Sectigo. When choosing a CA, make sure to select a reputable one that is recognized by popular web browsers.
Step 2: Generate a Certificate Signing Request (CSR)
Once you have purchased a Code Signing SSL certificate, you will need to generate a Certificate Signing Request (CSR) on your Apache server. You can do this using the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout mykey.key -out mycsr.csr
Make sure to replace mykey.key and mycsr.csr with the file names you want to use.
You will then be prompted to enter information about your organization, such as its name and location. Be sure to enter accurate information as it will be used to verify your identity.
Step 3: Submit your CSR to the CA
Once you have generated your CSR, you will need to submit it to the CA to obtain your Code Signing SSL certificate. The process for doing this will vary depending on the CA you have chosen, but typically involves uploading your CSR to their website and completing a verification process.
Step 4: Install your Code Signing SSL certificate
Once you have received your Code Signing SSL certificate from the CA, you can install it on your Apache server. To do this, follow these steps:
Create a directory to store your SSL certificates:
mkdir /etc/ssl/certs
Copy your SSL certificate to the new directory:
cp your_certificate.crt /etc/ssl/certs/
Create a file to store your SSL private key:
sudo nano /etc/ssl/private/your_domain.key
Paste your private key into the file and save it.
Configure your Apache virtual host to use SSL:
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/your_certificate.crt
SSLCertificateKeyFile /etc/ssl/private/your_domain.key
</VirtualHost>
Make sure to replace yourdomain.com with your actual domain name, and /var/www/html with the path to your website’s root directory.
Restart Apache to apply the changes:
sudo systemctl restart apache2
Congratulations! You have successfully installed your Code Signing SSL certificate on your Linux Apache server. Your code will now be signed with a digital signature, ensuring its authenticity and integrity.
The use of a branded SSL certificate provides several benefits compared to using a Let’s Encrypt SSL certificate. These benefits include:
Trusted and recognized brand: Branded SSL certificates are issued by trusted certificate authorities such as Comodo, DigiCert, Sectigo, GeoTrust, Thawte and RapidSSL. This gives your website a more professional and trustworthy appearance.
Higher levels of security: Branded SSL certificates offer higher levels of encryption, making them more secure than Let’s Encrypt SSL certificates.
Better customer support: Branded SSL certificate providers offer better customer support than Let’s Encrypt. In case of any technical issues, you can receive prompt assistance from a dedicated support team.
Increased website ranking: Search engines like Google may give preference to websites with branded SSL certificates over those with Let’s Encrypt SSL certificates.
Improved customer confidence: Branded SSL certificates can increase customer confidence and trust in your website, leading to higher conversion rates and better business results.
In summary, a branded SSL certificate provides a higher level of security, better customer support, improved website ranking, and increased customer confidence compared to a Let’s Encrypt SSL certificate.
The zero-trust strategy approaches security from the mindset that no one — not even your internal network users — can or should be trusted automatically. Here’s why zero trust security is picking up traction with organizations and governments globally…
… It’s not paranoia when someone really is out to get you. And if you’re an organization or business, you can virtually guarantee that someone, somewhere has you in their crosshairs. Verizon reports 82% of data breaches involve the “human element” — including everything from phishing and social attacks to general errors and misuse — so, it’s clear why all organizations need to change how they approach cyber security.
This is why the U.S. Department of Defense published information regarding plans to shift its network to a “zero trust architecture” by 2027. In its Zero Trust Strategy and Roadmap document, the federal defense agency shared its goals about what it aims to achieve and what its vision is for the future: implementing stronger defenses against cyber attacks via a dynamic and adaptive approach (zero trust).
This move toward zero trust security has been picking up traction with businesses and other organizations globally over the past several years. It contrasts the traditional notion that cyber security efforts should focus on external threats and hardening your perimeter defenses to protect against threats outside your network. Imagine the cyber security incidents (and resulting data breaches) that could have been avoided if the targeted organizations had implemented zero trust:
But what is zero trust and why is it something that can benefit organizations and businesses across all sectors (not just the DoD)?
Let’s hash it out.
Zero trust is an organization’s answer to the childhood warning “stranger danger!” It’s both a framework and strategy that operates with the understanding that no one — not you, your devices, your apps, or even your CEO — can (or should) be trusted automatically. And it’s nothing personal — it’s not because your IT admin doesn’t like you. This real-time security strategy approaches cyber security from the perspective that everyone inside and outside your network is a potential threat.
Zero trust touches everything relating to your IT ecosystem and everything that goes on in the background. It promotes the idea that there are no traditional network boundaries; your assets and resources can be anywhere — on prem, in the cloud, or a mix of both. This makes it a versatile approach to hardening your cyber defenses. Therefore, everyone with access to your organization’s network or IT resources must have their identities continuously vetted throughout their connections.
Regardless of where your assets are that you want to secure, there are three guiding principles at the heart of zero trust security:
1. Never Trust, Always Verify
What we mean by this is that users need to authenticate in a verifiable name. Simply taking them at their word just won’t cut it. This entails using setting default-deny policies, setting least access privileges, and using public key infrastructure (PKI) based tools (such as client authentication certificates).
Whenever someone logs in or tries to access something in a zero trust environment, they’ll need to continually authenticate (prove their identity) throughout the session. Why? Because session IDs can be hijacked and someone unintended can take over a connection. By implementing comprehensive identity and access management, you’re reducing the potential harm an account compromise could cause.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
2. Assume a Hostile Environment or That a Breach Has Occurred
With zero trust, you assume the worst (someone bad is already in your network) but hope for the best. You’ll want to assume that every network connection and access request is from an attacker. This involves monitoring all users, devices, connections, requests, and configuration changes continuously to ensure that no one is accessing something they shouldn’t.
3. Verify Explicitly
Verify that users are accessing things securely. Have security mechanisms in place to ensure they’re doing that. This includes enforcing policies dynamically via the policy engine and policy administrator (PE determines whether access is approved or denied and the PA executes that decision). And, as always, monitor and log all access requests and traffic.
Image caption: This graphic represents a basic overview of the foundational concepts behind zero trust: trust nothing and no one, have security mechanisms in place for identity and device verification, and assume all traffic (both inside and outside the network) is an attack.
There’s No One-Size-Fits-All Approach to Zero Trust
There are different approaches to zero trust put out by different organizations and different standards as well. Probably the most commonly known zero trust framework is the National Institute of Standards and Technology’s (NIST) special publication: NIST SP 800-207 — Zero Trust Architecture. This document laid the groundwork for other frameworks from agencies such as the U.S. Department of Defense and the National Security Agency (NSA).
These other frameworks have a lot to offer information of information and applications. (The DoD guidelines, in particular, offer more breadth and depth than the NSA’s.) And we’ll touch on key concepts from these resources throughout the article.
Why Zero Trust Matters: Looking Beyond the Surface to Secure Your Digital Assets
We live in a time when you can no longer take things at face value. You can’t simply assume that someone is who they claim to be simply because they type in a username and password; all it takes is a small third-party data breach for someone’s password to become known to the dark web. And if that person uses that same password to secure multiple accounts, then attackers can use it to brute force their way into their accounts.
This is why it’s crucial that we look much deeper and look at other verifiable and contextual information. This approach helps us determine whether someone requesting access to sensitive resources is authentic and has the authorization to access those assets.
Discussing this topic of zero trust always makes me think of scenes from the Mission: Impossible movie franchise. In several movies, Tom Cruise’s character, Ethan Hunt, wears masks and contact lenses to impersonate key characters. Sure, on the surface, he looks like each of the people he’s pretending to be. He can even use a voice modulator of some kind to sound like each person he’s impersonating. But just because he looks and sounds like that person doesn’t mean Ethan Hunt (Cruise) really is them.
Now, let’s leave Hollywood behind for a second and imagine if someone who looks and sounds like your boss or CEO walks into your building. You’d likely assume that it’s him or her. That would be pretty hard to fake, right? Heck, if I saw someone walk in who looked and spoke like our CEO, Bill Grueninger, I’d likely assume it’s really him, too. But if I walked up and started tugging on his face to see if it’s a latex mask or is the real deal, I’d likely find myself landing a really uncomfortable meeting with HR.
In a digital environment where users authenticate remotely, though, you need to have a way to verify their identities are legitimate. It makes you wonder what major cyber security incidents and data breaches may well have been avoided if the targeted organizations adopted zero trust policies and processes…
A zero-trust environment differs from a traditional security approach in that zero trust means you have continuously prove your trustworthiness, whereas a traditional environment means that once you’re inside the network, you’re automatically assumed to be safe.
Image caption: A set of illustrations that show the difference between a traditional trust-based network and a zero trust network.
Unfortunately, the traditional model no longer works in a world of credential phishing and session hijacking. You need more robust security and authentication measures in place.
If you search online, you’ll notice that different organizations approach zero trust in different ways. For the sake of this article, we’ll talk about the seven pillars of zero trust in terms of how the U.S. Department of Defense framework defines them. The seven zero trust pillars we outline below are overarching categories of focus for implementing zero trust. Each pillar involves monitoring and logging but also entails other specific protections.
Image source: A diagram we created based on the U.S. Department of Defense’s seven zero trust pillars with the addition of CA and PKI-based digital identity.
Users — Controlling access to protected resources by continuously authenticating users using digital identity components (such as client authentication certificates) and verifying users’ access authorizations.
Devices — Use device digital identity (think TPMs, device certificates, etc.) to authenticate access in real time. Devices also must be patched to mitigate vulnerabilities.
Network/Environment — Segmentation, isolation, and policy restrictions are three critical components to control access and manage how data moves on your network. This approach helps to restrict access and prevent lateral movement within the network.
Applications and Workloads — Whether you’re using resources that are on-prem, cloud, or a hybrid approach, the idea here is to secure the application layer.
Data —Secure your data by developing a comprehensive data management strategy and integrating data security measures such as at-rest and in-transit data encryption. This will help protect your data both while it’s on your servers or moving between two endpoints.
Visibility and Analytics — Having full visibility of your IT environment is crucial to keeping it secure. You can’t protect assets you don’t know exist, and you can’t stop attackers when you don’t realize something is wrong. You can gain actionable insights to improve your cyber security by analyzing your network’s traffic and user behaviors in real time to identify threats. Just be sure to consider that some traffic may contain sensitive data, so decide the best approach (such as informing users and obtaining their consent ahead of time).
Automation and Orchestration — Automation is a scalable approach that takes monotonous tasks off your team’s plates, freeing them up to focus on tasks that require critical thought processes. These tools also enable you to quickly sort through all the noise your security tools generate to find valuable data.
Zero trust as a cyber security approach has gained strong support over the last several years. This is partly because of the use of identity-based authentication and user authorization that’s required. In a nutshell, here’s a quick overview of how access controls and management play together to boost your organization’s cyber security:
Access controls are the rules, settings, and tools you use to control access to sensitive data and resources.
Access management is the process of setting up and managing who has authorization to access specific resources and systems.
Of course, neither of these things is foolproof and requires another security layer in the form of authentication. User and device authentication are all about ensuring that only entities (i.e., those whose digital identities have been verified and their authorizations confirmed) can access your secure digital assets.
A key element of the zero trust approach is a concept known as continuous authentication. The idea behind continuous authentication is that all network users, including your employees, must not only prove their identities when they first log in but also continuously prove their identities throughout their sessions.
Why is this necessary? Because session IDs can be set to last for extended periods — anywhere from a few hours to even a few weeks. This means that if a cybercriminal steals an authenticated user’s access tokens (session IDs and cookies), they can pretend to be them and access whatever protected resources their account has the authorization to access.
While some platforms have mechanisms to prevent authentication from happening, this may not always be the case. And it’s true that you can set timeout limits to take effect after certain periods, but if you don’t bother setting up these security limits, then it’s inevitable that at least one bad guy might slip through the cracks.
For zero trust security to work, you need to have a way to prove that you’re really you and aren’t an imposter who’s trying to fraudulently access sensitive data, systems, and other resources. The way to achieve this level of reliable and verifiable digital identity is through the use of public key infrastructure (PKI) and digital certificates. (We’ve talked a lot about these concepts before, but we’ll talk more about them again a little later in the article.)
Digital certificates are small data files that pack massive punches. They contain verified identifying information about you and/or your organization that a trusted authority (certificate authority) attests is authentic.
You can think of digital certificates in much the same way as an official passport: that little government-issued booklet contains verified information about you that proves your identity to people you’ve never met. This way, you can show your passport to airport security and other authorities (i.e., people who don’t know you) to prove you’re really you. (Sorry, there were a lot of “yous” in that paragraph.)
What do digital certificates and continuous authentication have to do with one another? Everything, really.
In a zero-trust environment, there are no implicitly or explicitly trusted users, devices, or zones within your network or IT environment. The digital identities of everything and everyone must be authenticated continuously using verifiable methods — period. And digital certificates are a means of doing precisely that.
Digital certificates enable trusted third parties to attest to your digital identity’s authenticity. It’s kind of the digital equivalent of how the U.S. Department of State attests to an American’s identity each time it issues a passport.
In a zero-trust environment, each employee, device, or other network user must have a way to mutually authenticate in a way that’s verifiable. How? By using a security mechanism that the security of the internet itself is built upon: public key infrastructure (PKI).
Public key infrastructure is the combination of rules, processes and technologies that enable two parties to communicate securely. Without PKI, if you were trying to connect to your bank’s website, it would be risky: you wouldn’t have a way to securely send your data because you wouldn’t know for sure who was on the other end of the connection. Even if the connection is encrypted, if you’re connecting to a cybercriminal, they’d have the decryption key to unscramble your data and read it.
Remember the DoD Zero Trust initiative that we mentioned earlier? Its DoD Zero Trust Architecture document shares one of the most beautiful lines we could hope to read in a government resource as an explanation: “The use of mutual authentication of users with PKI-based client authentication or mutual authentication certificates to web applications has long been the effective standard.”
Darned right, it is. And that’s because PKI isn’t the new kid on the block; it’s been around the block many times since its inception in the mid-1980s. PKI has served as the trusted foundation of internet security since that time because it’s what enables secure remote communications and data transmissions that, otherwise, would be impossible.
When it comes to remote user authentication and access, looking beneath the surface is a necessity. You can’t simply see that someone logs in using a basic username-password combination and assume it’s the legitimate account owner; you need an additional layer of verification that continually proves it’s the authentic user. Adopting a zero-trust approach can help in several ways:
Implementing zero trust is a way to prevent cybercriminals from taking advantage of vulnerable access tokens (session cookies, IDs, or weak credentials) to gain access to sensitive resources while pretending to be legitimate network users. Yup, that’s right — if even one of your employees who has privileged access uses a weak password for their account, it could be game over for your business. All it takes is one bad enough “oops” to cause you to face immense penalties, lawsuits, or even have to close your doors forever.
Incorporating zero trust into your cybersecurity strategy is also a great way to help protect your organization’s reputation, brand, and bottom line. Okta’s 2021 State of Digital Trust report shows that 75% of American consumers say they likely won’t do business with brands they don’t trust (i.e., after a data breach or misuse of data). Almost half, a whopping 47%, say they’d take things a step further and would permanently stop using a company’s services for the same reasons.
Imagine what would happen if an unauthorized user gained access to your most sensitive data. This could be your intellectual property (IP), customers’ financial data, or even employees’ records. Regardless of which type of data they get their slimy paws on, exposing sensitive data would spell disaster for your organization.
In addition to the no-brainer reason of you don’t want your information accessed by unauthorized individuals, there are also other concerns that adopting zero trust could help you avoid
Non-compliance issues with regard to industry standards,
Data breaches that can lead to hefty fines, penalties, and lawsuits,
Your reputation taking a big hit, and
Customers not trusting you or your services.
We’ve seen this type of scenario happen time and again in various data breaches. Here’s a quick example of what could happen without a continuous authentication mechanism in place:
An attacker phishes one of your company’s key employees, tricking or manipulating them into coughing up their privileged access credentials or session ID. This may not be hard considering that IBM’s X-Force Threat Intelligence reports phishing as the attack vector in two in five incidents their team responded to.
The attacker uses their login info or session ID to access secure resources using that employee’s account. Once in, they’re able to move laterally across the company’s network — accessing applications, databases, and other resources that the employee’s compromised account has access to — pillaging as they go.
Once they find interesting and valuable data, the attacker exfiltrates whatever data they can to an external server they control before installing malware onto your systems. It’s a devastating one-two punch you never saw coming that can bring your company to its knees.
Image caption: A diagram that illustrates the basic concept of how an attacker can exploit compromised credentials in a non-zero trust environment.
Because your organization didn’t require continuous authentication (i.e., didn’t implement zero trust) or have restricted policies in place that are enforced, your IT security admin or cyber security team doesn’t realize that anything is amiss until it’s too late. Now, you’re not only dealing with a data breach, you’re also scrambling to deal with the ransomware situation as well.
But wouldn’t a firewall be able to tip off your cyber defenders that something’s wrong? Sure, event logs will show a significant increase in traffic. But since the traffic appears to be legitimate (because the attacker is using the employee’s legitimate credentials, may be using a proxy IP address to disguise their true location, and you’re not analyzing device identity attributes or behaviors), they may not initially realize that it’s actually an external attacker and not your legitimate employee accessing your systems until the damage has already been done.
Oh boy. We hope you have business continuity, disaster response and disaster recovery plans in place, and that those plans are not only current but that your employees know what their roles and responsibilities are! Cyber resilience is crucial; but without the right security mechanisms, strategies and plans in place, you may not like the outcome.
Insider Threats in Action: A Real-World Look at the Elliott Greenleaf Breach (2021)
Attackers are becoming increasingly sophisticated and potential attack surfaces are expanding. As such, our defense of these systems must become more robust and dynamic. To go beyond discussing zero trust from a largely conceptual standpoint, let’s dive deeper and explore the damage caused to a real-world organization by bad actors within its trusted internal network.
What Happened
In January 2021, the Pennsylvania law firm Elliott Greenleaf was the victim of an insider attack and sustained catastrophic financial losses, according to WestLaw.com. According to multiple reports, four attorneys and a paralegal secretly downloaded a slew of invaluable sensitive data, including confidential files, trade secrets, and client lists. Their actions as insider threats resulted in irreparable damages to their former employer, which has since filed a lawsuit against the four attorneys and the paralegal.
“The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of organizational resources or capabilities.”
As it turns out, these legal professionals, who were trusted to operate internal systems (seemingly with little to no oversight), were wolves in sheep’s clothing. They were joining a rival law firm in Delaware (Armstrong Teasdale) and, it appears, wanted to take Elliott Greenleaf’s info with them.
Unfortunately, this isn’t an uncommon scenario; Code42’s research shows that there’s a one in three chance an organization will lose intellectual property when one of its employees quits.
How It Happened
Let’s quickly break down what occurred that enabled these insiders to wreak havoc based on information shared by Digital Guardian and WestLaw:
The attorneys had immense access to files and data. The attackers had access to read, steal, and destroy highly sensitive information. For example, they reportedly shredded 288 lbs of physical documents. (That’s approximately 28,800 pieces of paper if you’re using standard copy paper). In some cases, they enlisted the help of the paralegal to get certain data for them.
They accessed systems that appear to lack monitoring and/or alerts. To steal data, they were able to use one or more personal USB devices and had cloud-based file-sharing apps installed on their company devices.
They were able to send and delete emails containing sensitive information without detection. As such, they could send additional sensitive information to personal email accounts — and subsequently “double-delete” the messages in an attempt to cover their trails. Granted, the company says it’s able to access the delete emails via their data backup systems, but by that time, the damage had already been done.
The Big Takeaway From the Elliott Greenleaf Law Firm Situation
Unfortunately, the Elliott Greenleaf law firmed learned a valuable lesson the hard way: This catastrophe likely could have been prevented (or identifier earlier) if Elliott Greenleaf had adopted a zero trust approach. With zero trust:
the employees’ access should have been continuously verified across all systems,
their reach (i.e., their permissions and breadth of access) should have been restricted to only what they needed to do their jobs (think policy of least privilege), and
their access to resources and use of USB devices should have been disabled — or, at the very least, monitored, logged, and analyzed.
It’s our hope that you that you keep this story in mind and recognize that the threat from within your organization can be as, if not more, dangerous than outside attackers. Although the damage caused by this insider breach is irreversible, future attacks of this nature can be prevented through by adopting a zero trust posture.
Now, we’re not going to get into the nitty-gritty of how to actually implement zero trust. There’s far too much information that would need to be covered that it would, basically, entail creating a whole other article. However, NIST (SP 800-207) and the DoD (DoD Zero Trust Reference Architecture) provide some guidance for federal agencies on how to build zero trust architectures (from the ground up or migrate their systems to zero trust over time). Some of this information may be useful to your organization as well.
Adopting a Zero Trust Strategy Is One of the Best Ways to Secure Your Organization
Zero trust isn’t totally new, and it certainly isn’t going anywhere anytime soon. It’s gaining traction over time. Okta reports that 55% of surveyed organizations globally indicate that they have a zero trust initiative in place. A whopping 85% of global 2000 (G2000) companies said they’d allocated “moderate” or “significant” year-over-year increases in budgets to fund these initiatives.
Of course, there is still room for improvement. Research from Forrester and Illumio shows that only 6% of organizations indicate that they have fully deployed zero trust within their IT environments. But, hey, it’s a start, right?
One of the key attributes of zero trust is limiting who has access to what. This involves setting and enforcing policies, using verifiable digital identity, following the least privilege principle, monitoring all access attempts and behaviors, etc. By limiting a user’s reach to only the resources and systems they need to do their jobs, you reduce your attack surface. So, rather than having cybercriminals have access to everything, they can only access the systems and data that the user is authorized to access.
In a zero-trust environment, a bad guy will first have to go through a series of verification checks to ensure they’re the authentic user. If they fail that, then they won’t get access to anything. If they succeed, then at least their reach will be restricted to the privileges you’ve assigned the compromised user’s profile. And since you’re keeping an eye on everything and are logging everything for analysis, it’ll help you better mitigate these issues in the future.
HTTPS is the difference between transmitting sensitive information securely to your bank and allowing cybercriminals to steal that data so they can use it to commit crimes. But there are some misconceptions about what HTTPS means that we want to clear up…
Every day, you use websites to make purchases and pay bills online. But how do you know whether the website you’re using is safe and secure? If you’re like most users, you look for the little padlock icon in your web address bar and think you’re using a safe website. But what if that’s only part of the equation — what if that icon doesn’t tell you the whole story?
Cybercriminals love to exploit ignorance about what that little padlock security icon and HTTPS really mean. It reminds me of a scene from Monty Python and the Holy Grail, where some of King Arthur’s Knights of the Round Table follow an icon in the sky to what they believe is the secret location of the Holy Grail. Turns out, it wasn’t really the Grail, but the young women were using it to lure Grail-seekers to their castle.
In much the same way, the security icon in your browser may be lulling you or other users into a false sense of security. Those security indicators aren’t saying that the connection is safe; they’re conveying that a connection is secure. Yes, there is a difference. And understanding HTTPS will help you better understand what that difference is and why it matters. That’s why we’re here to answer questions like “what is HTTPS?” and “what does HTTPS stand for?”
Let’s hash it out.
What Does HTTPS Stand For? A Simple Definition and Explanation of What HTTPS Is
HTTPS stands for “hypertext transfer protocol secure.” Essentially, it’s a set of rules that enable two entities (e.g., users and websites.) to exchange sensitive data online securely. This protocol enables your client (i.e., your browser) and the server it’s connecting to, to forge a secure, encrypted connection using the secure transport layer security (TLS) protocol. This is why it’s also sometimes called HTTP over TLS.
HTTPS is the secure version of the traditional HTTP protocol. Without it, information would transmit in plaintext format, enabling cybercriminals to read, steal, and alter the data in transit. It’s all about using authenticated digital identity and encryption to establish secure connections.
Here’s a quick visual overview of the difference between HTTP and HTTPS website connections:
Image caption: A set of comparison illustrations that showcase the difference between HTTPS and HTTP connections in terms of security.
What Role Does Encryption Play in HTTPS?
HTTPS uses encryption to protect data (such as credit cards, passwords, etc.) from being read by unauthorized parties while it’s travelling across the internet.
Encryption is the cryptographic process of taking plaintext data and scrambling it into random characters to disguise the message using cryptographic algorithms and keys. As a website owner, you use TLS connections (formerly secure sockets layer, or SSL connections) to encrypt the communication channel between users’ web clients and your server.
When you use encryption, you’re preventing bad guys from gaining access to your sensitive data by scrambling it. The only way they’d be able to access the information you send is by having your decryption key. So long as you take the appropriate steps to carefully manage your keys and keep them secure using a key management solution, then you don’t have anything to worry about.
But encryption is only useful if you know who’s on the other side of the connection…
Authentication Helps Ensure You’re Connecting to the Right Entity
As a user, authentication is what helps ensure that you’re connecting to a legitimate website and not an imposter’s phishing site. Your browser will review the website’s SSL/TLS certificate information (i.e., website security certificate), which has been validated by a trusted third party known as a certificate authority (CA). If everything is as it should be, then your browser will continue with the process of establishing a secure connection with the server. If not, your client will terminate the connection and display an ugly “Your connection is not private” message (or another similar warning).
Remember how, at the beginning of the article, I’d mentioned that safe and secure aren’t synonymous terms? This is because you can have a secure (encrypted) connection, but if you don’t know who is sitting on the other end of the connection to receive your encrypted sensitive information, then it isn’t safe.
Why? Because you’re handing over your sensitive data to an unknown entity. Even if your data is sent via an encrypted connection, there could be a bad guy sitting on the other end with the secret key. Once they decrypt your sensitive data, they could sell it or use it for other nefarious purposes.
This is why encryption and authentication are both used in establishing HTTPS connections. All SSL/TLS certificates authenticate the website’s domain name, but only high-assurance certificates authenticate who (e.g., what organization) is running the website (more on that in a bit).
How HTTPS Works When You Connect to a Website
We’ve already written at length about how HTTPS works, so we’re not going to re-hash all of that here. However, here’s a quick and basic overview of how it works:
When a user connects to a secure website, their web client (browser) tries to verify the website’s digital identity. The idea here is that the user’s client will reach out to the web server. The server will respond with its SSL/TLS certificate (along with other important info), which the client will check its veracity, and then the two parties can move forward with the connection process.
The user’s client connects initially via an asymmetric connection.Asymmetric encryption means two cryptographic keys are involved — one that encrypts data (public key) and one that decrypts it (private key). This enables the browser and website’s server to hash out how they want to connect and exchange key-related information.
Once both parties use that info to generate a symmetric (meaning the same/identical) key, they can connect using a symmetrically encrypted connection. Once this happens, anyone outside that secure connection who intercepts the data will just see gibberish if they don’t have the necessary secret key.
So, How Can You Tell If a Website Is Using HTTPS?
As a website user, it’s crucial that you use secure websites when sharing or transmitting any type of sensitive information (including your username and password by logging in). But how can you tell whether you’re using a secure website? There are a few telltale signs:
You’ll see “https://” in your web address bar. When the URL for the website you’re visiting starts with https:// instead of http://, then it means you’re using a secure (encrypted) website.
You’ll see a padlock icon in your web browser. That little security icon means the server the website is on has an SSL/TLS certificate involved. If you see verified company information in the browser as well, they’re using a high-assurance SSL/TLS certificate. This means that a publicly trusted certificate authority issued the certificate after verifying the organization or business is legitimate using official resources.
Image caption: A screenshot from Wells Fargo’s website, which shows both the secure padlock icon and the company’s verified information as the certificate subject (i.e., the entity that the certificate was issued to).
It’s always a good idea to check a website’s certificate (like above) to see if the organization running the website has been authenticated. This gives you another layer of protection to ensure you’re sending your info to the organization you intend to.
Where You’ll Find HTTPS In Use
HTTPS can be found virtually everywhere online. W3Techs reports that 81.3% of websites they surveyed use HTTPS as their default protocol as of Jan. 9, 2023. (This was the latest data available at the time this article was written.) High-traffic websites tend to use HTTPS, whereas low-traffic websites tend to use the insecure HTTP protocol. So, it only makes sense that the average web page visit is more likely to be an HTTPS URL than an HTTP one.
Image caption: A screenshot of a W3Tech’s historical trend data for the HTTPS default protocol usage statistics over the last year. It shows information from Jan. 1, 2022 through Jan. 9, 2023.
HTTPS is used for transmitting plaintext information securely across the internet in a way that helps to protect it from being read by unauthorized parties. Ideally, you’ll find HTTPS connections used for all websites that transmit, collect, process, or secure sensitive information. This should always be the case for:
Banks, billing, and other financial websites
Ecommerce sites
Healthcare provider
Other sensitive data transmissions
Why Is HTTPS Necessary?
The internet — an open, insecure network — is an inherently insecure place. When data transmits over the internet without encryption and other cryptographic security measures, it’s vulnerable to man-in-the-middle (MitM) attacks. This means that someone could intercept your data as it travels between your computer and the website it’s connected to and alter key pieces of information.
This means that when you log into your bank, if you don’t use a secure connection, someone could intercept your data in transit and steal or modify it to say something false. For example, you could set a $500 financial transfer to a friend, but a MitM attacker could change that amount to $2,500 and swap out the friend’s bank account info for yours without your knowledge.
By using a secure HTTPS connection, you’re using a combination of asymmetric and symmetric encryption to prevent bad guys from seeing your plaintext data in transit. But security isn’t the only reason to use HTTPS: it’s also considered a Google search ranking factor. If you want your website to rank well on the world’s leading search engine, then you’ll want to use HTTPS.
How to Enable HTTPS on Your Website
To enable HTTPS on your website, you’ll want to get an SSL/TLS certificate and install it on your website’s server. Of course, we offer great prices on certificates from trusted third-party certificate authorities (CA) like DigiCert and Sectigo.
You’ll need to complete a certificate signing request (CSR) and then wait for the CA to validate you. Depending on the certificate authority and the level of validation you choose, this could take a few minutes or a few days.
Once this process is complete and the CA issues the certificate, you’ll need to collect it along with your intermediate CA certificate and install both on your web server. Depending on your server or hosting platform, you may need to enable the certificate and set your website to use HTTPS.
Lastly, use our handy SSL Checker Tool to ensure that everything is properly configured.
Final Thoughts on HTTPS
We hope this article has provided some clarity and understanding about what HTTPS and why it’s so important in our digital world.
As a website owner, it’s easy to see why running your website on HTTP is no longer a viable option. Between the hit your website’s ranking will take and the security risks posed by not using encryption, every website owner would be wise to enable HTTPS.
As a website user, you’d be smart to only use websites that have HTTPS enabled and, ideally, a visual indicator of verified digital identity. Using insecure websites means that your data is at risk of compromise. If a company isn’t willing to do at least the bare minimum to keep your data secure, it’s probably not an organization you want to do business with.
Why are organizations turning to software-defined wide area networks? Explore why organizations should consider adopting an SD-WAN approach to revamp their digital networks
Editor’s Note: This is a guest blog contribution from Nahla Davies, a software developer and IT/tech writer. Davies explores what a software defined wide area network is, how it’s commonly used, and how you can transition your business to using this connectivity approach.
Increasing your organization’s networking capabilities, security, and bandwidth is necessary to enable corporate growth. This is particularly true for multi-site organizations that increasingly rely on cloud apps, teleconferencing, and video streaming tools. The COVID-19 pandemic has exacerbated these bandwidth concerns; outdated wide area networks (WANs) are incapable of scaling adequately to meet increasing demand, forcing organizations to look for a better solution to support their digital strategies.
It has been possible for individuals and businesses of all sizes to access high-speed Internet connections and critical data thanks to software-defined wide area networks, or SD-WANs. The SD-WAN market, worth $1.4 billion in 2019, is predicted to be worth $43 billion by 2030, according to Prescient & Strategic (P&S) Intelligence research. This means a compound annual growth rate (CAGR) of more than 38% over the forecast period (2020-2030).
But what is an SD-WAN and how could using one benefit your organization?
Let’s hash it out.
What Is a Software-Defined Wide Area Network? SD-WAN Explained
SD-WAN is the abbreviation for “software-defined wide area network.” It’s a way for you to connect your devices, systems and offices globally using multiple network connection methods, alternating between connections based on whatever provides the greatest connectivity in any given moment. The idea behind this flexible approach of distributing (routing) traffic across your network is to help you save money and increase network performance.
SD-WAN is a term that refers to a programmatic and automated way to manage your global enterprise’s network connectivity and circuit expenses through the use of virtual services. This software-based virtual network technology is more relevant than ever before for an increasingly remote workforce. It can assist you in providing your company’s network with reliable connectivity and significantly help tackle internet of things (IoT) security risks to ensure data privacy.
Other features of the SD-WAN include connecting your onsite and offsite resources instantly. SD-WANs use software to manage the connection between remote branches, data centers, and cloud instances.
Need a visual aid to understand these concepts? Check out this video:
A local area network, or LAN, is the traditional network that works within your on-premises office to allow devices locally to connect and communicate with one another in a single, limited area. This differs from a vast wide area network (WAN), which connects devices located in remote offices or branches with applications and other network resources. WANs require a multitude of routers to operate at the locations to enable the branches to communicate — each of which must be managed and have rules created for it by your IT admin.
In general terms, LAN refers to the interconnected devices from within a building, while WAN refers to the interconnected devices from outside of the building. Both of these differ from an SD-WAN, which refers to routing traffic to different remote locations. SD-WAN also improves the hybrid WAN through packet management, bandwidth efficiency, dynamic path optimizations, applications monitoring and improved performance.
SD also makes it a lot easier to separate networks (such as public, private, and IoT networks). Historically, this would be a challenging task because it would require different switches or subnets. But some SD-capable routers can handle this separation fairly easily and quickly.
Image caption: A WAN is a traditional network that’s dependent on hardware devices. SD-WAN is software that’s used to manage the WAN instead of only physical hardware.Image caption: A LAN is a series of devices that can connect to the Internet that link together as one network from a centralized location
Popular Use Cases for SD-WAN
Before implementing an SD-WAN, it is vital to identify and organize your organization’s needs and its role in developing your business strategy. The following use cases represent a set of possible uses of SD-WANs (depending on the particular environment and your specific business goals). Always make sure to ask how SD-WANs can benefit your business and customers.
1. Direct Internet Access (DIA)
Integrated and cloud-based security offers better protection against Internet assaults. Dedicated internet access frees up bandwidth on the WAN while enhancing security and speeding up internet usage for branch employees and visitors. Branch employees and guests can connect locally via DIA, which reduces traffic on your WAN and improves internet speed. As a result, the branch now has a direct connection to the Internet, saving time and money.
Despite being predominantly software-centric, SD-WAN still requires some sort of hardware devices to operate (i.e., SD-WAN routers). However, while traditional WAN requires quite a lot of work and time to handle network operations, SD-WAN can reduce those efforts to a minimum. In fact, several SD-WAN devices offered today on the market such as devices offered by Cisco are plug-and-play (zero-touch provisioning) and brought online without administrative intervention at the branch/remote office.
2. Branch-to-Branch Connectivity
Organizations that need high-throughput, continuous connections from multiple offices have traditionally relied on multiprotocol label switching (MPLS) circuits or virtual private network (VPN) tunnels. MPLS circuits are a telecommunication routing method that transfers data from one node to another by identifying existing pathways between endpoints, while VPNs are designed to encrypt data shared over public networks.
SD-WAN has emerged as a new solution for branch-to-branch connections. It can minimize the burden and cost of managing the connectivity of branch offices with MPLS. SD-WAN simplifies and accelerates the procedure, so no excess time is wasted in standard ways to set up internet breakouts from branch/remote offices is time-consuming and mistake-prone. In contrast to typical networks, SD-WAN solutions do not depend on the traditional hub-and-spoke model, which might cause performance issues.
Existing ways to safeguard all user sites can be slow and error prone. Consider a scenario where dozens of users use a cloud-based service from different locations. SD-WAN can conveniently connect those users into one virtual location using SD-centralized WAN control and automation.
When branches link directly to the data center or cloud, transit time and overhead are reduced, bottlenecks are eliminated, and application performance is improved.
3. Application Performance Optimization
SD-WANs help network administrators define service-level agreements (SLAs) for specific applications by using SD-WAN to craft and enforce their own internal SLAs that match the requirements of the business. Specifically, teams can set parameters for uptime, fix times, and latency. This ensures that traffic is routed efficiently to meet those SLAs while also alleviating congestion, improves application performance, and possibly lowers networking costs. It allows the use of centralized application controls, which automatically direct critical programs around network difficulties
When an SD-WAN is in place, applications no longer need to be re-routed through the central site. SD-WAN enables managers to prioritize mission-critical apps and route traffic via the best transport available. For example, if you need to prioritize voice traffic over email, you can configure SD-WAN devices to prioritize voice packets (think VoIP) over other data. This will contribute to ensuring a smooth call experience.
Moreover, SD-WAN managers can prioritize key applications while deprioritizing less important ones using application-aware quality of service (QoS) capabilities. This can be used to offer precedence to the most critical applications, resulting in faster response times when the apps are managed directly. They can also monitor the SD-WAN environment at a high level to detect faults in real time.
4. Cloud Migration
The superior branch and cloud connectivity, application prioritization, and better visibility into network traffic are all good reasons why it’s worth considering SD-WAN for your cloud-first strategies.
Traditional WANs can only support applications from a central data center. But SD-WANs have been designed to fulfill the most stringent demands of cloud computing. They:
Enable direct cloud access to all applications regardless of where the employee is located physically.
Support application-based routing, allowing every app to use the most appropriate wide-area service per its needs.
Enable all organization’s branches to get direct access to the internet.
On top of this, multi-cloud apps offer visibility and help simplify management.
6 Benefits of Transitioning to SD-WAN
Now that we’ve covered the basics of SD-WAN, let’s look at some of how SD-WAN can help enable digital transformation within your organization.
1. Secure Networks With Comprehensive Data Encryption
Experts aren’t in agreement about the security of SD-WANs. Some say they offer better security; others say they provide weaker security. Security teams would be wise to keep in mind that just because SD-WAN offers encrypted traffic as an initial level of defense, further defenses will be a must. But encryption isn’t everything; because you’re talking about a distributed system, encryption alone won’t cover all security aspects. You need other protections in place as well.
However, there is no industry standard for implementing security into SD-WAN. Several approaches include:
Ensuring PCI DSS Compliance — Always ensure PCI-DSS compliance when transmitting sensitive customer or business financial data. SD-WAN allows you to segregate POS systems and other critical networks so you can isolate the POS system and its transmitted financial information from the rest of the network (better for data security). This is possible thanks to the flexible segmentation and provisioning capabilities that SD-WAN offers.
Enabling encryption — Many SD-WAN tools enable you to use AES-256 encryption to secure traffic by application, so you can protect site-to-site traffic at any of your branch locations.
Using next-generation firewalls — Even though most SD-WAN solutions come equipped with built-in firewalls, they often only include basic security filters such as packet filtering to reduce unauthorized access. However, they lack end-to-end coverage that remote enterprises require. Next-generation firewalls offer more advanced security methods, including deep packet inspection (DPI) and intrusion detection and prevention capabilities.
On that last note, firewalls included in low-cost SD-WAN appliances especially are often no different from those found in routers sold by big-box electronics stores. SD-WAN may have some capabilities that appear to improve cybersecurity, but these technologies aren’t always as robust as they would appear to be. Some SD-WAN suppliers advise you to replace them with a separate cloud-based firewall solution. This will also enable you to implement a centralized policy control for all locations and, when needed, push policy changes to multiple branches in a matter of seconds.
A new trend that complements SD-WAN and security technologies, known as SASE (an acronym for Secure Access Service Edge that was created by Gartner), can help your network be secure. In a nutshell, SASE is a kind of SD-WAN on steroids. It can do everything SD-WAN can do and more. It provides advanced, integrated security features, and it’s deployed in the cloud. Thanks to SASE, organizations can easily implement zero trust security (i.e., no device, user, or system should be trusted by default).
2. Fast and Dependable Connectivity
Enterprise networks usually fail to keep pace with the digital transformation of their consumers. SD-WAN can offer the necessary adjustments. It can help businesses support digital technologies such as voice over IP (VoIP), IoT, and corporate productivity apps.
Companies can use SD-WAN to establish fast and dependable connectivity for next-generation services and bring all their branches, sites, or locations on-net for business applications. They can do all this while also improving their capacity to track and regulate end-user experience at each location.
3. Better Network/Service Availability and Uptime
To succeed in the digital age, your company must first decide whether to implement a digital transformation strategy. However, a seamless failover is just as important if a critical process is dependent on uptime and availability. You might also want to look into application recognition with deep SSL inspection and traffic steering. The advantage of SD-WAN is its capacity to fine-tune and alter connections to assure peak performance.
4. Increased Data Transportation Flexibility
SD-WAN provides flexibility and agility through dynamic resource allocation, application-aware traffic routing, and short lead times for adding capacity and connectivity. Zero-touch provisioning and automatic network administration also simplify and minimize operation and management.
Creating an underlay network using SD-WAN is a lot more flexible than a traditional WAN. Paired with other integrations (such as ADSL, VDSL, and even 4G LTE), there’s virtually no limit to what you can do. This flexibility in transportation will enable branches to be connected more efficiently, regardless of their geographical location or any carrier limitations.
Utilizing the most cost-effective or acceptable bandwidth is possible depending on where a business or site is located.
Thanks to a centralized control base, it intelligently and securely routes traffic across several locations while concurrently adjusting bandwidth where it is most needed. Enterprises can benefit from broadband hauls without having to dismantle everything.
How? You may see an immediate return on investment due to:
Reduced infrastructure costs
Greater efficiency and reliability of cloud-enabled network services
Consolidation with intelligent, flexible, and secure routing
Greater flexibility due to on-premises or cloud-based controllers
Integrated LTE connectivity
In some cases, enterprises may expect a 100% ROI from a fully integrated SD-WAN solution within three years. Some clients can accomplish this in just one year of implementation.
Hence, there’s less need to spend money on more expensive multi-protocol label switching (MPLS) links because direct internet links can handle the need for more bandwidth.
6. Preparation for Future Digital Innovations
SD-WAN becomes one component of the giant digital transformation puzzle in a business setting. Shifting to a software-driven virtual network could pave the way for future digital innovations because digital transformation requires the right mindset and a plan.
Remember P&S’s SD-WAN market size increase to $43 billion (by 2030) mentioned at the beginning of this article? This may be true for a variety of reasons. For starters, modern workplaces increasingly need to simplify their networks and more flexibility and efficiency when it comes to deploying cloud-based solutions.
If your company relies on a traditional WAN, you’ll want to consider turning to infrastructure-as-a-service (IaaS) and SaaS. Once done, you can add SD-WAN and replace your router-centric WAN with it. It’ll help you ensure reliable connections, faster access to applications, and integrated security. It may also help you cut costs by streamlining and automating your remote app distribution to offices globally.
How to Transition Your Existing Digital Network to SD-WAN
Right from the outset, security and networking specialists need to work together to develop comprehensive security policies with scalability in mind.
While you’re at it, don’t forget to define your transformation goals and SD-WAN solution scope and then move on to the following steps:
1. Assess Your SD-WAN Management Portal
Your SD-WAN management portal needs to be robust. So, you must identify if there are any issues with the SaaS application, data center, device stack performance, and network. Ensure that the application and connectivity health can be viewed in a single dashboard. It makes it easier to identify and report problems, ensuring that end-user performance is visible. If you want to make network modifications and configurations at any branch office in any part of the world, you should be able to use a portal.
2. Adapt to Real-Time Changes
Security solutions, such as segmenting and encrypting network traffic, must be able to respond to changes in the network that occur in real-time. The reality is that keeping up with the dynamic connections is essential to SD-WAN operations. This method can help the security function track and analyze data while also encrypting and decrypting with SSL/TLS so security teams can stay on top of potential security concerns.
3. Automate Your Security Mechanisms
SD-WANs are designed with integrated, automated security mechanisms built into the network as a best practice. As noted previously, just be aware that certain SD-WANs come equipped with only basic security features (such as basic firewalls); as such, you may want to consider updating to stronger versions.
4. Mitigate Software Vulnerabilities
Modern tech may introduce new gaps into your network architecture, compromising its security. Ensure that your SD-WAN provider has a rigorous vulnerability scanning mechanism and quality assurance (QA) process before releasing their code to the production environment. You should also inquire about their approach to security regarding industry and regional compliance considerations or whether they have conducted any vulnerability scanning and obtained the results.
Lastly, ensure that your SD-WAN provides regular updates to fill security patches.
Top Criteria for Selecting an SD-WAN Vendor
Corporate decision-makers and network planners intending to install an SD-WAN should consider a set of criteria that helps identify a solution’s capabilities and whether they align with the company’s goals. Here are some factors you should look for while picking an SD-WAN vendor.
1. Strong Network Security
When selecting an SD-WAN vendor, it’s good to consider security concerns. Businesses should partner with an SD-WAN provider that places a high priority on security when offering the service. Secure tunnels and encrypted traffic are standard features in SD-WAN, which provides a significant layer of security.
An IT provider, on the other hand, should provide additional layers of security such as:
Round-the-clock monitoring. This should be managed and provided by a managed service provider (MSP) that can monitor and report on its ongoing security status.
Automated threat detection. This can be managed via real-time threat detection software.
Managed firewalls. Make sure the service covers the administration, maintenance, and monitoring of your firewalls
Alerts and notifications. You should be notified instantly regarding potential security breaches
Security incident remediation. What steps are in place to ensure that the breach will be addressed if/when it occurs? Plan ahead of time.
This is all part of laying the groundwork for the overall design you’ve chosen.
2. Control and Visibility
To effectively manage a network, optimize application performance, and keep the entire environment safe, it’s essential to have comprehensive visibility in every aspect of it. As SD-WAN evolves, it can resolve issues more quickly and gain more insight into future expansion.
3. Features and Customization Capabilities
The extensibility of SD-WAN providers should be considered when evaluating the qualities of their products and services. Also, make it a priority to simplify the process of adding further capabilities that promote scalability when needed, such as:
Cloud connectivity
Encryption key rotation
Data Analytics
Programmable APIs (so you can customize and scale SD-WAN gear’s configurations)
4. WAN Bandwidth Requirements
Think about what your WAN bandwidth needs are now and how they might grow in the future (three-five years). Ensure you’re getting the bandwidth you need to get the most out of your system.
As a general rule, the average small business with 10 or fewer employees shouldn’t need more than 10-15 Mbps. But a business that involves downloading large files of content on a regular basis, backup services, and cloud-based file-sharing services will likely need at least 50 Mbps.
5. Costs
Due to the SD WAN’s lack of hardware controls, it’s often regarded as being less expensive than traditional hardware-based networks. But there’s no doubt that the cost of an SD-WAN solution differs from one provider to another. Monitor your consumption expenditures to ensure they’re decreasing as anticipated.
If you’re content with the performance, make sure you only pay for what you’re getting. Don’t settle for shoddy work at a premium price.
6. Deployment Capabilities
It is now possible for your company to centrally manage the deployment of services across a distributed network using SD-WAN and network function virtualization (NFV), or utilizing virtual machines in place of physical appliance hardware.
Final Thoughts on Transforming Your Digital Networks With SD-WAN
SD-WAN provides an effective way for businesses to manage their remote network connectivity means via virtual services. Businesses globally are already benefiting from SD-WAN, and further technological advancements can inevitably increase the amount of business support they provide.
Cloud and SaaS services like Workday, Salesforce, Microsoft 365, and Dropbox can benefit from SD-WAN technology optimized for excellent application performance in on-premises data centers and public or private clouds. This way, cloud-first companies can deliver higher application quality of experience (QoEx) to their customers.
Whether you’re a software creator or software buyer, you’re vulnerable to software supply chain attacks. Here’s how you can protect your company and customers…
What would happen if a popular software (one that’s widely used across your organization and is sourced from a reputable vendor) turned out to have malicious code in it that allowed hackers to remotely access and control your employees’ machines? Unfortunately, that’s not just a hypothetical — that’s how many real-world (and costly) cyber attacks have actually happened.
Software supply chain attacks are one of the scariest types of cyber attacks because they’re carefully planned to cascade “downstream” to achieve the biggest impact possible. The idea here is that the attacker tries to compromise every person and organization using the affected software product or component.
A good example of a supply chain attack is the SolarWinds hack in 2020: hackers gained access to the SolarWinds build servers and inserted malicious code into the codebase for their Orion software. This allowed the attackers to gain access into any organization that installed the Orion software. This means that organizations using the well-known, reputable software product (Orion) were unknowingly giving a sophisticated hacker group access to their systems. Thousands of organizations were compromised this way, including major U.S. federal government and NATO agencies.
As such, software supply chain attacks are a growing concern for both software makers and software buyers:
Anchore’s 2022 research shows that 62% of respondents indicate that software supply chain attacks have impacted their enterprises in the last year.
It only takes one line of compromised code in one piece of software you use to impact all of your customers (and more).
Knowing this, how can you protect your organization against supply chain attacks? Let’s take a look at the basics of supply chain security, then explore practical advice from eight IT and cybersecurity experts on how you can protect your organization and customers. We’ll cover important tips for both software creators and software buyers — we’ve got a little something for everybody.
Let’s hash it out.
Software Supply Chain Security 101
What Is the Software Supply Chain?
Generally speaking, the software supply chain includes everything involved in the software development lifecycle. Practically, that means anyone and anything that could contribute or modify code that’s used in a software product, including:
The software vendor who makes a software product, including their developers and systems.
Creators of any third-party components or libraries included in the software (this could include individuals, organizations, and open-source communities)
Distributors and other vendors who may be able to modify software before it’s delivered to customers
Systems or parties involved in updating software once it’s been installed on the customers’ devices.
In many cases, the supply chain for a given software product can be very extensive, because most software is built using a mixture of code developed in-house and (many different) third-party components. Some of these third-party software components are so ubiquitous that we hardly even think about them — for example, it’s estimated that there are over one trillion SQLite databases in the world because SQLite is used as a component by so many popular software products.
What Is Software Supply Chain Security? It’s How You Prevent Software Supply Chain Attacks
Software supply chain security is about preventing bad guys from using your software supply chain as an attack vector to carry out attacks on your customers. The true targets in software supply chain attacks are your customers; you and your software products are just pawns they can use to achieve their goals.
Software supply chain security is about doing everything possible to prevent bad guys from infiltrating your network and deploying harmful code within your products that will be sent to customers. It encompasses all the policies, tools, and actions you (as a software vendor, for example) use to prevent these attacks.
When there are one or more vulnerable elements in your software supply chain, then your software product and overall organization are at risk. In a broad sense, supply chain cyber security is about securing everything relating to the process of how your software is created, distributed, and supported.
In particular, software supply chain security focuses on ensuring that malicious code or known security vulnerabilities cannot be added to a software product at any point. This includes ensuring that:
Software developers are writing code that follows security best practices
Third-party components (e.g., open-source libraries) are free of malicious code or vulnerabilities
Your codebase is protected against unauthorized code insertions or modifications and you’re tracking all changes that are made (and who made them)
Systems used to build/deploy software is protected against unauthorized access or injections
Software is protected against modification and unauthorized additions during distribution/delivery process to customers
Update processes to protect customers from receiving fake updates or legitimate updates that have malicious code injected
Why Software Supply Chain Security Matters
The truth of the matter is that software supply chain security issues affect everyone. Regardless of whether you’re creating software, supplying it, or buying it from others, no one likes unpleasant surprises. And that’s precisely what you get when you create or operate software with unknown vulnerabilities. But why is implementing strong software supply chain security so important? Let’s quickly go over a few key reasons:
You have a professional responsibility to yourself and/or your customers. As a software creator, you have a duty to adhere to software security standards. You’re responsible for safeguarding the software products, data, and supply chain that connects you with customers.
You’re regulatorily required to secure your data and systems. Building on the responsibility point — you’re also typically required to do so due to industry and regional regulations (depending on where you’re geographically based or countries you do business in globally). A couple of recent related examples can be seen in the National Institute of Standards and Technology (NIST) Special Publication 218 (SP-218), NIST Secure Software Development Framework, and U.S. Executive Order (EO) 14028. This executive order aims to enhance software supply chain security regarding the use of third-party software that federal agencies purchase and use. The NIST guidelines provide information relevant for software producers as well as the software purchasers (i.e., federal agencies).
Your reputation and customers’ trust are on the line. Trust matters, and once it’s broken, you may not get it back. In fact, nearly a quarter (24%) of surveyed consumers told Privitar that they’d either terminate business with companies after they’ve been breached, or they’d do less business with them in the future. As you can imagine, a data breach can have a devastating toll on your customers’ bottom lines, customer relationships, and future business opportunities. Now, imagine if they’re breached because of an issue with your software (due to its vulnerable software supply chain). As the software creator or its supplier, that would have a devasting effect on your reputation as well.
There’s no “re-do” button in software supply chain security. When it comes to securing your software logistics network, either you do it right or you don’t. Closing the stable door won’t do you any good if the horses already ran out. Dedicate the time and resources to secure your software supply chain from the get-go to prevent attacks from occurring.
How to Secure Your Organization’s Software Supply Chain
Most articles that talk about software supply chain security cover the topic from the perspective of software developers. And this is important, as this guide applies largely to that audience. But there are other considerations as well from the perspective of software procurers who buy the software that’s created.
Simply put:
If you’re asoftware developer: You should be implementing the following list of 10 best practices and tips.
If you’re asoftware buyer: Your goal should be to choose vendors who follow best practices like these.
1. Devote the Appropriate Resources to Securing Your Organization
Don’t be stingy when it comes to people, time, and money. Keeping your software supply chain secure should be among the highest priorities, and the reality is that accomplishing this requires a lot of resources.
Now, we’re not saying that throwing money at the problem will magically make all your security woes go away. But having a dedicated budget that’s set aside strictly for security purposes is a smart move and provides the necessary resources your organization needs to harden your defenses. This is money that can be spent in various ways, including:
Upgrading your firewalls and other cyber security systems (such as intrusion detection and response tools)
Adding skilled and knowledgeable workers to your in-house IT team
Investing in third-party service providers to carry out assessments and penetration testing
Incentivizing security-related innovations and initiatives
Increasing cyber awareness and best practices usage among your employees through various trainings
2. Make Security an Organization-Wide Priority for Everyone
A good application security strategy is one that encompasses all elements of your software supply chain. Jeff Williams, co-founder and chief technology officer at Contrast Security, says that achieving a secure supply chain (i.e., as secure as you can make it) boils down to knowing:
What code you write
What tools you use to develop and create software
How you secure your code and systems
Which third-party applications you buy and use
While some leaders may argue otherwise, security isn’t a siloed initiative. It’s a group effort — one that all employees (and other network users) participate in that should be led from the top of your organization. Bradley Jackson, the Director of Software Engineering here at The SSL Store, underscores this idea:
“It’s not the job of one person or a QA team to find vulnerabilities or point out flaws. It’s a team effort — from the developers, to DevOps, DBAs, marketing & bizdev, to ensure they’re not asking for functionality that can’t be done securely — all the way to the CEO to not rush a product to market at the sake of security.”
3. Understand Your Dependencies (Know What’s Going Into Your Software)
Asaf Ashkenazi, CEO of Verimatrix, points out an uncomfortable truth: you often don’t know what code is used in your software and where it was sourced from.
“Whether an organization is CREATING and distributing software products, or they are just USING [third] party software, the libraries used are likely to come from different sources. Whether it is an open source library or a licensed software solution, it’s vital their organization track where these components are used to allow for fast patching in case of a discovered vulnerability or routine security updates.”
Open source repositories are great because they save time and money by not having to create code from scratch. But open source resources can also introduce vulnerabilities that, otherwise, wouldn’t exist in your software or systems. This is why Steve Judd, senior solutions architect at JetStack, by Venafi, cautions using open source repositories without first auditing and evaluating the risks associated with them:
“If a threat actor does compromise a repository, they have the potential to launch a one-to-many attack, which has become the standard in supply chain attacks. Because open source repositories are used so widely by developers looking to save time and resources, popular [artifacts] could be used by thousands of companies. So injecting code into one repository could send shockwaves across multiple organizations, and potentially millions of end users. Ultimately, once the malware makes its way into an application or website, hackers can create disruption, steal data and IP, spy on users and create backdoors.”
Dan Chernov, chief technology officer at DerSecur, describes software-based businesses using the analogy of traditional brick building. In this case, he says that removing one brick from a key location can leave the integrity of a structure at risk of collapse. (Think of a brick that’s located at the top of an arch; if a key brick is missing, it can lead to failure in the overall design.) This is why it’s important to know what you’re putting into your software and to keep tabs on what you’re using and whether those elements have any known vulnerabilities:
“Software vulnerabilities are the open door for hackers into the organization, inside the IT systems which process valuable data. That’s why its vitally important to check all company’s software, developed either in house or via outsourcing as well as open source components, for vulnerabilities and backdoors.
To support this, your organization needs to commit management and resources to tracking the sources of your components and implementing application security practices. It’s an initiative that Chernov says should be performed and managed by your chief information security officer (CISO).
Put a Software Bill of Materials (SBOM) to Use
Another way to help secure your supply chain is to create a software bill of materials (SBOM) for your products. If you’re a company using third-party software applications, ensure they offer SBOMs. In a nutshell, an SBOM is a list of all the various components contained within your software, web app, or device (such as libraries, tools, and plugins). This way, you know exactly what tools, code, and resources have been used to create your software artifact.
Think of an SBOM like a recipe card or ingredient list on a packaged food product. If you have a food allergy, you can look at a food product’s list of ingredients to know whether it is something safe for you to eat. If it contains something you’re allergic to, you know that eating it would be risky and could make you sick (or worse).
Likewise, knowing what elements (proprietary and outsourced) are contained within your software helps you and your customers achieve greater supply chain visibility and security. Something else that’s vital to visibility and security is knowing whose hands are in which pies.
“SBOMs are especially important when identifying cybersecurity risks in critical application infrastructure across industries. It’s also worth noting that the U.S. government is constantly releasing new directives and best practices to secure the software supply chain to ensure the private vendors they work with provide the most secure products.
While agencies both in the U.S. and internationally may soon be required to create SBOMs to retain those government contracts, I believe organizations will quickly recognize their importance in not only cybersecurity but general software hygiene – and it will become a standard practice in any organization creating software.”
4. Practice Secure DevOps (SecDevOps or DevSecOps)
Implementing a secure development and operations life cycle should be a no-brainer. But for some reason, some companies either haven’t received the memo or they choose to put their fingers in their ears and start humming. So, since we have your attention, let’s be clear: if you develop or publish software, then it’s imperative that you follow a secure software development life cycle.
Bad guys are always looking for ways to compromise systems and gain access to valuable information. By not securing your devops life cycle, you’re not only leaving your own systems at risk but also jeopardizing your customers’ systems and data.
Williams emphasizes this point, showing that it’s the sum of all parts, and not just one-off independent elements, that makes for greater software supply chain security. He describes SolarWinds as being a wake-up call that highlights the importance of securing supply chains that extends beyond traditional cyber security methods.
“We cannot fix this with an occasional vulnerability scan or penetration test. We must prevent adversaries from getting into the software factory via code, libraries, tools, and platforms.”
Prioritize Security Over Speed or Other Interests
This next truth is a bitter pill your company’s sales and finances execs may not want to swallow: the security of your software should take priority over the speed of its release and distribution. According to Williams:
“Collaboration between developer teams and security teams is key here. But there has been friction in the past as developers are under pressure to work at speed, and security teams are under pressure to work securely. Unfortunately, these concepts don’t always align, and one is prioritized over the other – usually speed over security, hence why we see so many attacks targeting software supply chains.”
Digitally Sign Your Software Using a Code Signing Certificate
Code signing is a technique that enables you to attach a special signature of sorts to your code, containers, software and other executables. This cryptographically based method ensures the integrity of your software (i.e., so your customers know it hasn’t been tampered with since you signed it) and that helps customers know your software is authentic (i.e., that it was published by you and not an imposter).
Now, it’s no secret that we love code signing here at Hashed Out. After all, it’s a public key infrastructure (PKI) security technique that enables you to protect your software and assert your digital identity. (And, as you know if you’ve read our previous articles, we love digital identity!) Unfortunately, not all companies or developers opt to use them. This results in unsightly “unknown publisher” or “software not trusted” warning messages displaying to their users:
Image caption: A set of screenshots that shows the differences in messages that display for digitally signed software (right) and software lacking a digital signature (left).
5. Manage Access to Your Systems and Servers
Ah, yes, people. Human beings are, simultaneously, the greatest contributors and risks to the security of your supply chain and organization overall. All it takes is one moment of inattentiveness for an employee to fall for a phishing email that could compromise their credentials. (Yup, it happens to the best of us.)
Of course, securing access is a general cyber security best practice for all organizations. But when it comes to software supply chain security, it’s crucial to ensure that no one tampers with your software during the development process in particular.
Limit Who Has Access to What
Limiting how many people have access to privileged systems also limits the exposure risk of those systems when things go wrong. An attacker can only access the limited systems and data associated with that individual user’s profile. This is why access to your systems, data, and servers (especially your development and production servers) should be managed carefully and privileged access given sparingly.
Here’s a good rule of thumb to abide by: everyone doesn’t need access to everything. Only assign permissions and privileges to users whose roles and responsibilities require them.
Use Secure Authentication Methods
It’s no secret that cybercriminals love passwords. Compromising passwords is a very lucrative practice for bad guys. People tend to use really crappy passwords that are easy to guess via brute force attacks, or they give them to attackers who trick them using phishing tactics. A good way to avoid password-related security issues (i.e., have strong password security) is to avoid using them altogether.
One of the things we love to highlight here at Hashed Out is the use of public key infrastructure. (PKI is the foundation of internet security as we know it.) When it comes to secure authentication, something that PKI offers is the ability to use cryptographically secure mechanisms (i.e., a client authentication certificate) to:
Log in to systems without having to use usernames and passwords that can become compromised (and leave your systems at risk), and
Verify it’s really your employee who’s trying to access a protected resource (i.e., not an unauthorized user or cybercriminal).
Another option is to use multi factor authentication (MFA) apps that allow you to authenticate without having to type in any passwords. For example, you might receive an app-based push message on your mobile device that prompts you to authenticate whenever you try to access a protected resource.
Image caption: A screenshot of the verification message I received when I tried logging in to a service.
6. Scan and Monitor Your Digital Assets
Even if you’re doing everything right to keep your network, website, IT systems and other digital assets as secure as possible, attackers can exploit vulnerabilities to upload malware. The same can be said about your website. When customers then visit your website, instead of downloading your legitimate software or patches, they may find themselves installing malware instead that’s been uploaded to your site.
Part of this entails keeping your website’s plugins, themes, and codebases secure. Jeremy Clifford, CEO of RouterCtrl, has worked as a network specialist and engineer for more than 20 years. He says that GitHub is not just a way to maintain a code history, but it’s also a repository that can help you secure and protect your supply chain.
Clifford shares his insights regarding the importance of maintaining a secure codebase:
“Keeping the codebase secure should be the number one priority of […] any tech company. Not only could nefarious code bring your site down, for example, but they could also insert code into your site that would collect and send personal data, turning your innocent site into an unwilling accomplice to a crime.
[…] require that all code merges require multiple peer reviews and that merges into the master or production branches can only be done by certain approved parties. This way you’ll get multiple sets of eyes on each code change to ensure that only the intended changes make it in.”
Know What Software and Devices You Have on Your Network
Having visibility is critical to network security. If you don’t know what connects to it (devices, applications, etc.), how can you keep it secure? This is the underlying concern of shadow IT for many organizations.
Having unknown and untracked assets on your network like jumping into a lake filled with alligators while wearing a blindfold: you’ll never know what direction an attack is going to come from, and there’s no way to defend yourself.
7. Patch and Update Your Systems Regularly
If your systems aren’t patched and secure, then it means there are vulnerabilities that bad guys can exploit to use as an access point to your network (and, ultimately, your development and production servers) Patches are kind of like life vests: getting one won’t do you any good if you don’t bother wearing it when you go boating.
Let’s take Microsoft’s Patch Tuesday updates as an example. Almost every Tuesday, Microsoft rolls out updates for different products to help organizations and users mitigate the latest vulnerabilities. Back in 2017, Microsoft rolled out an update of their legacy Windows operating systems to mitigate security issues relating to vulnerability within their systems that resulted in an exploit known as Eternal Blue. However, many companies globally failed to apply the update within a reasonable amount of time.
The result? A global ransomware attack that resulted in catastrophic damages for governments and private sector entities in more than 150 countries. For example, the United Kingdom’s National Health Service (NHS) found its operations screeching to a halt. Thousands of surgeries and appointments were canceled and, in some cases, institutions had to divert emergency responders to other facilities. There’s also the issue of ransomware attacks causing fatalities by targeting critical infrastructure…
Eliminate Outdated Components and Software
Time isn’t kind in many aspects. As humans, we grow older and we start to feel like we’re falling apart. The same happens with software and other technologies over time — they become less secure, particularly when their manufacturers stop maintaining them with new patches and updates.
Ashkenazi, who has a background in systems design engineering and architecture, says that a critical step that often gets overlooked is managing and rotating out old technologies. “Continually ask yourself if you’re using a timely cycle to age out some of the stuff that is old and probably (or definitely) less secure.” He points out that some suppliers stop supporting their software with updates and security patches. So, it’s important to examine your software supplier’s track record to see if they’re one of the ones that continue support or drop off after a few years.
8. Set Security Requirements With Third-Party Vendors
Do you know what your software vendors are doing to keep their software — and, by proxy, your organization — secure? If the answer is no, we’re not surprised.
The NCC Group’s research we mentioned at the beginning of the article shows that almost half of surveyed organizations (49%) neglect to set security standards with their service providers ahead of time. But what makes matters worse is that 34% also indicate that they don’t “regularly monitor and risk assess their suppliers’ cyber security arrangements,” either.
This is particularly concerning considering that third-party risks are frequently the result of contractors or service providers having access to sensitive systems and data. Think of the 2013 Target data breach when the network credentials of one of their third-party HVAC vendors were hacked, giving attackers access to Target’s systems.
Ilam Padmanabhan, solution delivery manager at Nets Group, has two decades of experience in the tech and financial services industries. Padmanabhan says it’s important to both stay abreast of what vendors are doing to keep their software secure and to keep them informed about any vulnerabilities they discover on their systems:
“To ensure the security of their suppliers, [companies] should conduct regular security audits and require their suppliers to meet certain security standards. They should also establish communication protocols so that they can quickly notify their suppliers of any vulnerabilities that are discovered.”
Conduct Risk Assessments of Your IT Systems
Keeping an eye on your IT ecosystem entails more than just monitoring your network. It’s also about keeping tabs on everything that touches your network — applications, personal and company devices, IoT devices, etc. You need to know who has access to everything, including third party vendors and contractors. Part of this entails performing cyber security risk assessments that help you identify vulnerabilities and prioritize mitigation efforts.
If you’re not sure how to perform a cyber risk assessment, no worries. We’ve already got a resource ready to go for you. Of course, simply figuring out what risks there are and how to prioritize them isn’t enough. You also need to have plans in place for how to respond to them and for how to keep your business going…
9. Create Business Continuity, Incident Response and Disaster Recovery Plans
We get it — accidents happen and, sometimes, things go wrong. These types of scenarios span the gamut from natural disasters to man-made issues like cyber attacks. But if you’re smart, you’ll plan ahead for when things go wrong (because, inevitably, they will) so you’ll have plans in place for how to respond to bad situations.
A few examples of some of the plans you can create and implement include:
Business continuity (BC) plan — A BC plan provides guidance on keeping your business up and running while crap is hitting the fan. It’s easier said than done, but with the right plan and people in place, it can be enough to keep your business from failing in the interim.
Incident response (IR) plan — This document serves as your guide for what to do when you’re in the thick of things and feel like you’re facing down a dragon. The goal is to stop whatever’s happening from happening and to prevent further damage from occurring.
Disaster recovery (DR) plan — A DR is all about helping your business in the aftermath of whatever ungodly scenario your organization has just endured. This typically involves implementing data backups and trying to get your organization back to being fully functional.
10. Train Your Employees on General Cyber Security and More Specialized Practices
A key part of any cyber security strategy is providing educational training and resources to your staff and other network users. In general, everyone who touches any company device or has access to your network should be trained to increase their cyber awareness and to recognize threats. But the training doesn’t have to stop there; you also should provide more specialized, in-depth or technical training to increase the security of your privileged users. This is something that you can offer in house or consider hiring a third party to handle for you.
Regardless of which approach you take, the important takeaway is to educate your employees. They’re your first line of defense in all aspects of cyber security, including the protection of your supply chain.
Train Your Organization’s Software and Technology Buyers
The same training concept applies to technology buyers, too. If you want to ensure that your company is using only the most secure software, educate your employees who are responsible for making those purchases. Provide them with guidelines and standards they can refer to when vetting prospective software creators and their products.
Meet the Experts
We offer a special thanks to all of the experts who shared their insights with me to write this article. They’re listed in alphabetical order by last name:
Asaf Ashkenazi, CEO at Verimatrix
Dan Chernov, chief technology officer at DerSecur.
Jeremy Clifford, CEO of RouterCtrl.
Brian Fox, CTO of Sonatype and an OpenSSF member.
Bradley Jackson, Director of Software Engineering at The SSL Store.
Steve Judd, senior solutions architect at JetStack, by Venafi.
Ilam Padmanabhan, solution delivery manager at Nets Group.
Jeff Williams, co-founder and chief technology officer at Contrast Security.
TL;DR: A Quick Overview of Supply Chain Security
Still reading? Awesome. We hope you’ve found these experts’ insights informative and useful. If you jumped to this section to save time, we’ve got a quick summary for you of why software supply chain security matters to software creators and buyers alike:
Strong and effective supply chain security comes from the top-down. Security isn’t a one-man-band kind of thing. It’s an initiative that should be led by your organization’s board and other leaders and should be owned by everyone.
Know what’s in your products (or the third-party products you use). As a provider, you need to review and approve every component that is included in your software. This helps you (and your products’ users) achieve greater IT environment visibility and security.
Carefully manage access and implement secure access methods. Only assign access to those who need it to do their jobs. Use authentication methods that offer the highest levels of security (like MFA and PKI-based authentication).
Keep your systems patched and free of vulnerabilities. This should be a no-brainer but it’s worth reminding everyone anyhow. Unpatched systems are vulnerable, and vulnerabilities are big, flashing neon signs that tell cybercriminals “I’m open to attack!”
Digitally sign your software to inform users your software is legit and unaltered. If you want your customers to know that your software is authentic and hasn’t been modified since you made it, a good way to ensure this is to digitally sign it. Attaching a digital signature uses cryptographic functions to assert your digital identity and offer assurance about the integrity of your software.
Alright, that’s it. We’ve kept you long enough and are sure you’ve got work to get back to now. Remember: your software is only as secure as you make it. Invest the time, resources, and efforts now to save yourself a lot of headaches — and money — in the future. Don’t allow yourself to sacrifice security for the sake of getting your products out faster.
Encryption is everywhere online; it’s the process and technologies that enable you to securely log into your email and make online purchases
What types of information are you sending in emails or via website connections? What are you storing on your company servers? Inquiring minds want to know — namely, cybercriminals.
Data from Orca Security shows that more than one-third (36%) of organizations don’t bother encrypting the sensitive data they store in the cloud. This includes data such as intellectual property to customers or employees’ personally identifiable information (PII).
We’ve seen multiple instances of security issues this year involving unencrypted data:
One way to fight back against cybercriminals is to use encryption to secure your data. But what is encryption? I mean, what does encryption mean, both in the sense of what it does and how it secures your data and communications?
Let’s hash it out.
What Does Encryption Mean? A Quick Data Encryption Definition & Meaning
Encryption is the process of taking plaintext data and transforming it into something random and unreadable. Why? It’s a way to secretly share information by restricting access to it. This way, only your intended recipient (i.e., whoever you want to read the message) can access it and no one else can.
Encryption involves using two specific types of cryptographic tools:
Encryption algorithms (which need to meet specific cryptographic security standards)
Encryption key (which needs to be securely generated)
Image caption: A basic illustration showcasing the process of data encryption.
Looks simple enough, right? Appearances can be deceiving. The way cryptographic processes work in the background is a lot more complicated than how it appears on the surface. When you encrypt a message on the internet, you’re using a special string of randomized data called a cryptographic key. Keys can either be a set of two unique keys (asymmetric keys), or a single key (symmetric key) that encrypts and decrypts data. We’ll speak more on asymmetric and symmetric key encryption a little later.
When applied, the key disguises your message by turning it into gibberish. This ensures that only the person who holds a corresponding secret key (i.e., your intended recipient) can read the message through a process known as decryption.
The following illustration shows a basic overview of what the process looks like when sending a secure, encrypted message:
Image caption: A basic illustration of how encryption protects sensitive data from unintended eyes.
So, how do you know if a website is using a secure connection? It’s got a little padlock icon or another security indicator displaying in the browser’s URL bar:
We’ll delve more into that in just another minute or two. But first, there’s one important thing we want to touch on before moving on to talking about what encryption does…
Secure ≠ Safe
When people see the padlock icon in their browser, they typically assume it means the website they’re using is safe. That’s not necessarily true. You can still have a website that uses a secure connection but it’s not safe because the site is controlled by one or more cybercriminals. This is why we always tell people that a secure website isn’t necessarily a safe website.
The way to help customers ensure that they’re connecting to your legitimate website is to add digital identity to the equation. Your digital identity is like your passport; it’s a verifiable way for people who don’t know you to feel confident doing business with you. This is because you have a trusted third party (a certificate authority) vouching that you’re authentic — that you really are (insert your company’s name here).
You can add digital identity by installing a website security certificate, or what’s otherwise known as an SSL/TLS certificate, on your server. This will enable data to transmit using the secure HTTPS (hypertext transport protocol secure) protocol instead of the insecure HTTP.
Here’s a quick example of what an extended validation (EV) SSL/TLS certificate looks like in Google Chrome:
Image caption: A combination screenshot of the SSL/TLS certificate for wellsfargo.com. As you can see, the certificate displays the company’s (subject) verified organizational information, including its location.
SSL/TLS certificates come in three validation levels: domain validation (DV), organization validation (OV), and extended validation. They rank from lowest to highest in terms of the digital identity assurance they offer (hence why EV certificates are sometimes called high assurance certificates).
Why You Need to Secure Your Data
There are several reasons why your organization needs to secure your data and communication channels:
You’re required to do so for compliance. Depending on your industry or geographic region, it’s likely that there’s at least one data security regulation or law in place that requires you to secure your data using encryption.
You want to protect your reputation. The importance of your brand and reputation can’t be overstated. Not encrypting your data is a surefire way to get yourself some unwanted publicity. If you don’t secure your data, it’s likely just a matter of time before it falls into cybercriminals’ hands.
Customer trust matters to you. Encrypting your data goes a long way in helping you develop relationships with customers. If they know that you do all you can to keep their data safe, they’ll be more likely to want to do business with you. If you don’t and let it be known that you’ve had a cybersecurity incident, nearly one-third say they won’t do business with you.
Fines, penalties, and lawsuits don’t appeal to you. Don’t spend money on fines, penalties, and lawyers if you don’t have to. You can avoid many situations where you’d face these things by securing your sensitive data.
It’s the right thing to do. There’s something to be said for just doing the right thing because it’s the right thing to do. Protecting the data that people and other organizations have entrusted you to protect definitely fits into that category.
Encryption Secures Your Sensitive Transmitting and/or Resting Data
Encryption can be used to encrypt everything from data sitting in your databases to the data that streams from the IoT devices on your network. Without encryption, every day would be open season on your most sensitive data. This is why organizations should use encryption to protect sensitive data at all times.
Protecting Data in Transit from Man-in-the-Middle Attackers
Data in transit encryption can be used to secure your data while it’s moving between endpoints. A great example of in-transit data encryption can be seen when your customers’ browsers send information to your web server. This is known as in-transit data encryption, which protects you from interception attacks (i.e., man-in-the-middle attacks).
Good examples of this are secure SSL/TLS website connections. If you don’t secure your website using an SSL/TLS certificate, cybercriminals could simply wait for your customers to log in to your website and steal their credentials. They do this by intercepting the data, placing themselves in the middle of your connection so all data flows between the customer and the server through them.
Not only does this spell bad news for your customers, but it’ll be bad news for you since they’ll no longer trust you to protect their data.
Keeping Your At-Rest Data Safe On Your Servers
If your data is sitting on your server, that automatically means it’s safe from attackers, right? Not necessarily. Data at rest encryption plays an important role in keeping the data sitting in your databases, inboxes, and other important repositories secure. For example, if someone hacks your email server, any unencrypted messages are at risk of compromise.
Encrypted Data Is Meant to Be Decrypted…
Yes, you read that correctly: Encryption is known as a two-way function because encrypted data is meant to be decrypted by someone who has the appropriate key. When you encrypt something, you need to use a key to decrypt that data. In asymmetric encryption, you have two separate keys and each key performs a separate function (one encrypts, one decrypts). In symmetric encryption, it’s a single key that performs both functions.
It’s important to note that encryption algorithms differ from hash ciphers. While encryption ciphers are meant to be reversed, hash algorithms are designed to serve as one-way functions. Their resulting strings of data are not intended to be reverse-engineered [and, frankly, it’s too impractical to try to do so]). And instead of being used to encrypt data, they’re used as data integrity mechanisms to prove that data hasn’t been altered since it was digitally signed.
Encryption is a way for two parties to communicate securely. Historically, this meant two parties would have to meet face to face to securely exchange keys. They’d use the same key to encrypt and decrypt information. This is an example of a type of encryption known as symmetric encryption. Also known as private key cryptography, this approach entails using a single key to scramble and unscramble your messages.
Here’s a basic look at how encryption and decryption work using symmetric (matching) keys:
Image caption: A screenshot of a symmetric encryption algorithm that shows how both parties have a copy of the same key they can use to encrypt and decrypt messages.
Of course, the encryption ciphers we use to communicate over the internet are far more complex than the simple example we’ve provided above. However, the graphic gives you the basic idea of the concepts of encryption and decryption.
Symmetric Encryption Has Been the Go-To Method Throughout History
Symmetric encryption is nothing new; it’s been around for thousands of years, dating back to at least ancient Egypt. It’s the old, trusted war horse of cryptography and it’s had many reinventions over its lifetime.
When I was a kid, I had out-of-state cousins who would come to visit my family. My cousins and I would exchange handwritten letters, and one of my cousins used to write brief messages in ciphertext. It was a basic shift cipher (AKA a Caesar cipher), meaning that you just shift a letter by one or more characters in the alphabet. The number of movements is determined by a secret key that only we would know. (This way, her siblings and mine couldn’t read our messages.)
For example, if we used a key of 6, then “a” would become “g” and so on. So, if the cousin wrote the word “beach” and used a key of 6, then it would become “hkgin.” Because we both had knowledge of the key, this is a basic example of how it looks when you use symmetric encryption.
Traditional (Symmetric) Encryption Can’t Stand on Its Own in an Internet World
We live in a time when the internet has become integral to businesses. This invention is a double-edged sword; it’s great because companies can engage in remote, near-instantaneous communications. But that also means that no one wants to hop on a plane and fly halfway around the world every time they need to do a transaction.
But why would you need to do this? Because the internet is inherently insecure. It’s an open public network that sends plaintext data, meaning that your sensitive information can be intercepted by bad guys who can use it to carry out all kinds of evil (data theft, identity theft, fraudulent transactions — the list goes on). This is why industry experts had to come up with a way for people to communicate securely without having to first meet up to exchange symmetric encryption keys.
Why Asymmetric Encryption Is Essential to Secure Online Communications
In a nutshell, asymmetric encryption (i.e., public key encryption) enables people to communicate remotely without having to meet up in person. This type of encryption uses a pair of unique (but mathematically related) keys to carry out the encryption and decryption processes.
People call it by different names, but this type of encryption boils down to the following breakdown:
The sending party encrypts the message using their public key.
The receiving party decrypts the message using the corresponding (separate) secret key.
What this does is enable you to communicate data in open channels (public and insecure networks), such as on the Internet. Here’s a look at how this process works from a little more technical perspective:
Image caption: A screenshot of how it looks when you transmit encrypted data to a website using asymmetric encryption.
Think of the last time you made an online purchase. When establishing the website connection, your browser reached out to the website’s server. The two parties exchanged some key information (literally and figuratively speaking) that they used to exchange a session key. This key is what they then used the rest of the session to communicate because it required fewer resources than an asymmetric connection.
Asymmetric vs Symmetric Encryption: Is One Better Than the Other?
It’s not so much a question of which one is better; asymmetric and symmetric encryption both play important roles in securing online data and communications. Quite frankly, you need both to achieve secure website connections:
You use asymmetric encryption to securely exchange key-related information
You use that shared key information to create a secure symmetric session that can be used to communicate the rest of the session
You use asymmetric first because it’s a secure way to share your symmetric keys on the (insecure) internet. But asymmetric algorithms require a lot of resources, meaning they’re not great at scale (i.e., enterprises handling massive traffic). So, the smarter idea would be to use asymmetric algorithms at the beginning and then switch to symmetric algorithms that are less taxing at scale.
The More Important Considerations Are Key Security and Certificate Management
The encryption algorithms you use are only as good as the security you use to protect your cryptographic keys. If even one of your cryptographic keys gets exposed, then you’re in for a world of hurt because it means that every bit of data that key encrypted is now at risk of compromise. For example, this could be the case if you didn’t use algorithms that enabled perfect forward secrecy.
Furthermore, you also need to carefully track and manage all of the certificates in your environment. If even one certificate expires and is still used on your website, for example, then it means:
Users see ugly “not secure” warning messages on your website
All data that transmits to your website is insecure
Final Thoughts on What Encryption Means
As you can see, answering the question “what is encryption?” in the simplest terms isn’t always easy, but we gave it our best shot. (It’s easy to overthink things.) Hopefully, you’ve found this article both informative and useful as you go about your day. The big takeaways we want you to leave with include the following:
Encryption is a common cryptographic process for disguising or concealing data
Encryption secures your data both in transit (think SSL/TLS) and at rest (think of emails on your server)
It can be done using unique keys (symmetric encryption) or identical key pairs (symmetric encryption)
For encryption to work, you must carefully manage your certificates and keys
Digital certificates are akin to the internet’s versions of certificates of authenticity. Here’s what you need to know about them and the public key cryptographic technologies that make them work
Digital certificates and/or signatures make your world more secure virtually everywhere you look online. These tools allow you to send secure emails and exchange sensitive information remotely without having to worry constantly that your data might fall into the wrong hands.
But what is a digital signature? What is a digital certificate? How do they integrate seamlessly into your everyday life as both a consumer and service provider (even if you don’t know it)? We’ll answer all of these questions in this article that breaks down the difference between a digital signature vs digital certificate.
Let’s decode it..
Digital Certificate vs Digital Signature: A Look at the Differences Between the Two
Digital certificates and digital signatures are just two halves of the same coin. When you’re talking about a digital signature vs digital certificate, each plays a role in establishing and validating digital identity and aids in helping your organization facilitate digital trust. Digital trust is critical to elevating your brand and helping customers feel confident and secure doing business with you.
We’ll go more in-depth on each of these concepts throughout the article. But first, we know some of you are in a hurry and don’t have much time to read this article. We’ve put together a brief overview so you’ll quickly get the gist of the differences and can move on your way:
Digital Certificate
Digital Signature
What It Is
A small data file (X.509 format) that contains identifying information (usually about a person and/or an organization)
It’s a signed digital asset that consists of a string of characters created by hashing data and encrypting the resulting value. You use a digital certificate to create a digital signature.
How to Describe It to Your Non-Technical Colleagues
It’s like a passport for the digital world: it’s issued by a trusted third party and offers assurance that you’re you
It’s like a notarized signature; it’s often used to show that digital assets (such as documents, messages, files, etc.) you create are authentic and haven’t been altered somehow
What It Does
A digital certificate ties your organization’s verified identity to a digital asset (website, email, software, etc.)
A digital signature shows who created a file, message, or other digital asset, and that it hasn’t been changed since it was signed
How It’s Created
Create a certificate signing request (CSR) and send the information to the certificate authority. They’ll verify your identity and issue the certificate
In most cases, you’ll need a digital certificate in order to create a digital signature. Once you have a certificate, many platforms (Windows Server, OpenSSL, Microsoft Word, Adobe, etc.) make it easy to create and apply a digital signature through the use of a hash function and encryption
Where You Can Find One
Installed on web servers, web applications, email clients, computers, mobile devices, IoT devices, etc.
Many important files (such as software installers, PDFs, secure emails, etc.) contain digital signatures.
How Long It Is Valid
Each digital certificate is created with a set validity period — i.e., it has both issuance and expiration dates
Digital signatures can be valid far longer than the certificate that created it when it is timestamped
Alright, now that we’ve had this overview that highlights a digital signature vs digital certificate, let’s dive a little more in depth into each of these elements…
What Is a Digital Certificate?
A digital certificate is a digital file containing verifiable information about you or your organization that validates your authenticity. Basically, it’s a way for the other party you’re connecting to, to check whether you are who you say you are (i.e., you’re not a fraudster).
Digital certificates are kind of like the organizations that issue certificates of authentication for athletes’ autographs. If I want to ensure that I’m getting hockey goaltender Andrei Vasilevskiy’s signature (Go Bolts!), I’m not just going to buy it from some random person on eBay. I’m going to get it from a reputable source that provides a genuine certificate of authentication.
Likewise, the same concept applies to installing code, software, and other executables from reputable sources. You won’t just download unsigned software from a third-party website that could be counterfeit and contain malware, right? (Please say you won’t.) It’s too risky and leaves you vulnerable to data compromise, identity theft, and a slew of other security issues.
Digital certificates are X.509 files that you’ll find at the heart of public key infrastructure (PKI). They come in multiple varieties that serve various purposes:
Code signing certificates help you prove the authenticity of your software, containers, and code and protect it against unauthorized modifications.
Image caption: A screenshot of the code signing certificate information that displays in Chrome for one of our company’s digital certificates.
Document signing certificates help you prove the authenticity and integrity of your Microsoft Office and PDF files. (NOTE: Not all document signing certificates can be used to digitally sign Adobe PDFs.)
Email signing certificates help you prove to recipients’ email clients and servers that your emails are legitimate and haven’t been altered. They also enable you to send secure, encrypted messages to recipients who also use email signing certificates.
Image caption: A screenshot of the email signing certificate information that displays in Chrome for one of my digital certificates.
Client authentication certificates (AKA personal authentication certificates) help you remotely verify your identity so you can access web apps and other resources online. These are frequently the same certificates as email signing certificates
SSL/TLS certificates help you prove that your website is authentic (owned by you) and enables your server to establish secure connections with users to protect their data in transit.
Image caption: A screenshot of the SSL/TLS certificate information that displays in Chrome for TheSSLstore.com.
What Is a Digital Signature?
A digital signature is something you apply to a specific file (using your digital certificate) to prove that the file was created by you and is authentic. In the most basic sense, a digital signature is a way to prove you’re really you (authentication) and that something you created is legitimate (data integrity). More technically speaking, it’s data that proves your identity and that the digital asset you’ve created and signed hasn’t been secretly modified.
In a more technical sense, digital signatures are the values that result from applying a hash function to the data of the digital asset (software, email, document, etc.) you wish to protect and authenticate. This creates a string of data known as a hash value, which you then encrypt using a cryptographic key.
There’s sometimes a bit of confusion surrounding digital signatures and electronic signatures. You’ll find people and companies within the industry referring to them interchangeably. However, that’s not quite accurate. A digital signature is a type of electronic signature, but not all electronic signatures are digital signatures. It’s kind of like how all fudges are desserts, but not all desserts are fudge.
An electronic signature is the digital equivalent of your handwritten signature, whereas a digital signature is something else that doesn’t always have a visual element representing it. Electronic signatures can often be mimicked or faked, but digital signatures cannot be easily copied or faked.
Image caption: A screenshot that shows the difference between an electronic signature (left) and a digital signature’s visual mark as represented by Outlook and Adobe PDF.
Timestamping Extends the Life of Your Digital Signature
If you want to get the most out of your digital signature, use a timestamp. Timestamping is a method of proving that whatever you signed was signed at a specific moment. It’s an indelible record that shows when your digital asset was signed or modified. By adding a timestamp to something you digitally sign, you’re also extending your signature’s longevity.
Image caption: A screenshot of the digital signature and timestamping information for a version of JetBrains software that was downloaded.
Of course, you don’t always have to timestamp your digital signature; it’s considered an optional feature in some use cases. But timestamping is something you should definitely consider doing when signing software and documents. Why?
Timestamping your digital signature enables it to be trusted years beyond when your digital certificate expires.
Adding a timestamp provides a verifiable way to show the precise moment when something was digitally signed.
Adding a timestamp to your code also mitigates the error messages that would otherwise appear when your digital signature certificate expires. It also means you don’t have to re-sign and release a new version of your asset (unless you changed the file somehow).
Trying to fake your digital signature’s timestamp would be challenging for cybercriminals to achieve.
There’s a bit of a misnomer that timestamping means that your digital signature is valid forever and will never expire. This isn’t the case. Your signature will eventually expire; it just won’t expire as quickly as your digital signature certificate does.
Digital Signatures and Certificates Are at the Heart of Digital Trust
Nowadays, you always hear people throwing around the term digital transformation, which is all about integrating digital technologies to fundamentally enhance your organization (e.g., increase connectivity and operational efficiencies). But there’s another concept that isn’t just a buzzword and deserves more attention than it receives: digital trust.
Digital trust is everything relating to establishing and upholding trust — it’s the behind-the-scenes processes, compliance, and security mechanisms that make trusting your brand possible for customers. At its core, digital trust boils down to three key elements:
Digital identity — Offering assurance regarding your verifiable digital identity so they know you’re real and aren’t a shyster,
Data integrity — Providing assurance and the means for customers to verify that they can trust your asset’s legitimacy, and
Encryption — Securing communications and data and communications so they can feel confident doing business with you.
Now, I’m going to say something a bit controversial here: you don’t deserve your customers’ trust. While this may sound very negative, the truth is that trust isn’t something customers should give blindly; those days are long gone. In the Age of the Data Breach, trust is something you should — and must — strive to earn.
You can have the fanciest office and IT technologies at your fingertips. But without achieving and securely managing digital trust, your digital transformation is half-baked and won’t live up to your (or your customers’) expectations.
Keeping Your Certificates Secure Requires Careful Management
Your digital certificates and the signatures they create won’t do your business any good if you don’t bother to keep them — or, more importantly, their keys — secure. You see, every digital certificate is issued with a key pair. In the case of publicly trusted certificates (such as the ones we’ve mentioned that are used for external uses), that keypair includes a public and private key. Public keys are available to virtually anyone, but private keys are secrets that must be protected.
As of 2020, Keyfactor reported that the average business’s IT environment has an average of 88,750 digital certificates and keys to authenticate systems and secure data. In 2022, Keyfactor also reported that the average number of “internally issued certificates in an IT organization alone” has surpassed 267,000.
If a bad guy manages to get their grubby paws on even one of your organization’s private keys, then you’re in for a world of pain. A compromised key can lead to everything from data compromises, unauthorized modifications, losses, and theft to costly data breaches and compliance issues. Not only will your reputation suffer potentially irreparable harm, but your customers may, too. Needless to say, this will have a devastating effect on your bottom line.
This is why it’s essential to carefully manage and monitor your PKI. This entails keeping visibility of your IT environment and the certificates and keys within it, managing who have access to your keys and resources, and rotating out certificates and keys as they expire or, on the rare occasion, become revoked.
A carefully managed PKI helps you achieve digital trust and makes for a healthy and successful business.
Final Thoughts on a Digital Signature vs Digital Certificate
As you’ve learned, digital signatures and certificates aren’t so much an either/or kind of thing: you need both to secure your organization and its data. To assert your digital identity, you need to use a digital signature. In order to create a digital signature, you need to have a digital certificate. But when creating your digital certificate, a reputable third party (i.e., a CA) must use their trusted root’s digital signature to offer assurance that your organization has been properly vetted and can be trusted… it goes on and on.
A software bill of materials lists the “ingredients” in a software product, making it easier to identify and avoid security risks
Unless you’ve been living under a rock the past few years, you’ve likely at least heard of Log4j. This is an Apache open source library that’s commonly used in just about everything Java-related online. Unfortunately, in late 2021 the logging package was discovered to be critically vulnerable to remote code execution attacks, meaning an attacker could exploit it to install malware (e.g., ransomware) onto vulnerable systems and inject larger networks.
Cloudflare CEO Matthew Prince reported on Twitter that there were 400 confirmed exploit attempts per second. But that’s just one estimate — according to The Washington Journal, Akamai Technologies said it observed 10 million such exploit attempts per hour. Research from Check Point also showed that the attackers were rolling out new variants of the exploits — more than 60 in under 24 hours.
That’s a lot of exploits and a lot of variations to boot. Considering that the Log4j vulnerability affected major companies like Amazon, Apple, and IBM, it’s no surprise that it had companies globally worried.
But what makes the situation particularly concerning is that many companies weren’t aware that the products they use contained such vulnerable elements. If only there was a way that organizations could know exactly what components are part of the software they use… Oh, wait, there is: they could use products that come with a software bill of materials (SBOM).
But what is a software bill of materials and how can it help organizations mitigate some of the cyber risks facing their organizations and networks?
Let’s hash it out.
What Is a Software Bill of Materials (SBOM)?
A software bill of materials is a list of the base elements (such as code libraries) used to create a product. Basically, it provides details and information that outline the relationships between the various elements of the software in your supply chain. The National Telecommunications and Information Administration (NTIA) has a bit more technical definition for an SBOM, describing it as “a nested inventory for software, a list of ingredients that make up software components.” It includes everything from version information and what companies created those elements.
Putting it more simply, SBOMs enable companies to know exactly what goes into their software — ideally, so they can keep a close eye on any dependencies. So, going back to the Log4j example, if you’re using software that includes the vulnerable library, you would know instantly because Log4j would be listed in the SBOM. You could reach out to your vendor to ensure they’re providing a patch using an updated version of Log4j. But you can’t assess or mitigate specific cybersecurity risks if you don’t know they exist. This is where an SBOM can help.
An analogy that’s commonly used to describe these lists of components is the ingredient labels on packaged food items. (We’ll speak more to that in a minute.) The purpose of an SBOM is to create transparency and help companies identify dependencies in their software supply chains. This is because, as a purchaser, you’re supposed to receive or be able to access SBOMs for products you purchase. This way, you know a good amount of information about your supply chain.
SBOMs are something that can be used to address a wide variety of security issues for everything from software to IoT devices.
Even the U.S. Government Encourages Using SBOMs to Improve Security
In fact, the May 2021 U.S. Executive Order (EO 14028) on Improving the Nation’s Cybersecurity calls upon the use of SBOMs to help strengthen the defenses of U.S. federal information systems. (Government agencies are now required to collect them from software suppliers.) The National Institute of Standards and Technology (NIST) developed the Secure Software Development Framework (SSDF) to aid this initiative, and it requires software bill of materials information to be included.
Component hash (yup! Cryptographic functions play a key [excuse the pun] role here, too)
Unique identifier
Dependency Relationship
Timestamp
For a complete list of minimum requirements, check out NTIA’s SBOM Minimum Elements Report. It breaks down the minimum elements that should be addressed in an SBOM into three main categories:
Data fields,
Automation support, and
Practices and Processes.
Do SBOMs have to be created at the time you’re developing your software? Not necessarily. You also can create SBOMs retroactively. The only thing to note about that is that it might not be as complete as an SBOM that’s generated as part of your software development life cycle (SDLC) process.
SBOMs Are Typically Meant to Be Read By Machines, Not People….
An SBOM isn’t something that just anyone can look at and read easily; it’s presented in one of a few standardized formats that are readable by computers (but not human beings, unless you know what to look for) to improve integration and automation. These three standards (listed in alphabetical order) include:
CycloneDX, which also works for software-as-a-service (SaaSBOM), hardware bill of materials (HBOM), and other uses. The file format for this type of SBOM is .xml.
Software Package Data eXchange (SPDX), which is an international open standard (ISO/IEC 5962:2021). Acceptable file formats include .json, .spdx, .rdf .xls, .xml, and .yml.
Image caption: A screenshot from NTIA that we’ve highlighted to illustrate the different informational requirements that a software bill of materials must include. Original image source: NTIA.
Who a Software Bill of Materials Benefits (Spoiler Alert: Everyone)
According to the White House’s Executive Order, SBOMs benefit virtually everyone who develops, manufactures, purchases, or operates software or devices that use said software. But the truth is that a software bill of materials also indirectly benefits the consumers who are served by these companies and service:
“An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.”.
Yup. While SBOMs are typically promoted as being good for software buyers and operators, the truth is that they’re also useful for broader audiences. So, you see, it’s good for your organization regardless of where you fall in the supply chain.
But now that we know what an SBOM is in a general sense, let’s take a closer look at this security tool and how it aids your organization’s software supply chain.
A Look at How a Software Bill of Materials Breaks Things Down Within the Supply Chain
Your software supply chain comprises everything from where the individual components came from that are used to create the products you use and how they’re manufactured, distributed, and supported. Some categorizations of the supply chain talk about custom code, third-party components, development and building environments, delivery, etc. Basically, it’s all about sourcing your components (internal or third-party dependencies), building your software, storing and deploying it, and providing ongoing support (via patches) while it’s being used by the intended users.
However, to simplify things a bit more, we’re going to look at what the software supply chain ecosystem looks like based on a traditional supply chain (based on information shared in NTIA’s SBOM explainer video):
Image caption: A basic diagram that illustrates the software supply chain ecosystem and some of the parties involved in it.
Let’s imagine, for a moment, that you’re an IoT device manufacturer that uses third-party software as part of your supply chain. This is how the above breakdown would play out with regard to you and your business:
Source parts refer to all the base elements used to create the product.
Compound components refer to any elements in the final product that are created using other elements (e.g., a third-party’s library or open source code). Not all software manufacturers provide information about what these components are.
The final assembled product(your software) is the end product created when you combine all of the parts.
Operator(s) or vendor(s) is the term that refers to your direct customers or service providers that use your product.
Consumer(s) refers to the people that your customers use your product to provide services to.
An SBOM Is Like the List of Ingredients You’d Find in Your Favorite Foods…
When you’re at the grocery store, do you stop to read product nutrition labels and ingredient lists? If you’re like me, you do because you want to know exactly what you’re putting into your body.
It’s a good idea to take a similar approach when adding software and devices to your network. If you want to keep your network secure, then you’ll want to check every device, software, or system carefully you connect to it for known vulnerabilities. Knowing what libraries, drivers, operating systems and open source resources are used goes a long way in helping you assess and mitigate vulnerabilities.
Let’s consider a quick example with one of my favorite special occasion meals: Fettucine alfredo. Say, a friend is having a small get-together at her house and I decide to bring over a dish of homemade fettuccine alfredo for the occasion to share. Sounds great, right? It is, so long as no one has any food allergies to any of the ingredients I’m using in my dish.
But how can someone tell whether there might be something in my fettuccine alfredo that might cause an issue? Let’s first consider the list of ingredients. My fettuccine alfredo recipe is pretty simple as it contains several basic ingredients:
Heavy whipping cream
Homemade salted butter
Freshly grated Parmesan-Reggiano cheese
Freshly grated Pecorino-Romano cheese
Garlic
Salt
Black pepper
Italian parsley
Homemade gluten free fettuccine pasta
If I were to break up this item, we’d be looking at the following breakdown of items:
Looks simple enough, right? Not quite… There’s more to it because of the “hidden ingredients” that people might not know about if they aren’t disclosed.
Some Ingredients Are Made Up of Other Unknown Ingredients
Image caption: An example food nutrition and ingredient label.
A few of these items — the two cheese and the gluten free flour — are created through manufacturers whose products I like and trust. So, knowing this, let’s consider the supply chain for these items — particularly the compound components. These items may have other additives that I might not be aware of unless I stop to read the product label. Let’s consider a quick example using parmesan cheese.
The ingredients for the brand of parmesan cheese I typically use contains cultured cow’s milk, enzymes, and salt. (Note: If I bought the pre-grated variety, additional components would be added, such as cellulose and natamycin — this is why I buy the blocks of cheese and grate them myself!) So, in this case, that means the enzymes and cultured milk need to be added to my list of ingredients.
Likewise, if I looked at the ingredient list for the Pecorino-Romano cheese or the gluten free flour I’d use, there would be several additional items I’d need to add to my list of components. And it would also be important to know where the ingredients the manufacturers used actually came from. For example:
The Pecorino-Romano cheese I use is imported from Italy and it contains sheeps milk and rennet.
The flour includes multiple other ingredients — sweet white rice flour, whole grain brown rice flour, potato starch, whole grain sorghum flour, tapioca flour, and xantham gum.
This means my ingredient list now looks more like this:
Why You Need to Know Which Ingredients Are Included in Your Software
See how much longer the list of ingredients became now that we’ve added all of these “hidden” ingredients? Now, ask yourself what would happen if one of your friends was allergic to milk, tapioca flour, or eggs but you didn’t know it. If they didn’t know those ingredients were included in the meal, it could lead to a potentially serious medical emergency, depending on the severity of their allergic reaction.
Likewise, similar concerns apply to your software and hardware devices. While the concern isn’t a food allergy or medical concern necessarily, not knowing what’s included in your software supply chain leaves your organization, network, and customers at risk. Knowing the A-Z of your software supply chain helps you stay abreast of any potential vulnerabilities and exploits you need to address before bad guys use them to attack your network and organization. This is crucial for risk analysis and mitigation activities, where you need to know how and where your systems are vulnerable.
The truth is that it’s rare to find a company that builds its software or hardware components entirely from scratch. (Doing so is just too complex, costly, and time consuming.) Instead, they integrate third-party and open source elements such as frameworks and libraries. When you consider that these components often operate with the same permissions as the software they’re a part of, it means the risk can be significant.
SBOMs help you have a better understanding of your supply chain and everything involved in it. They also help you better manage and mitigate risks by using them to analyze known vulnerabilities. This is why it’s best for them to be stored in a centralized repository that applications and systems can easily access and use.
Can’t a Software Bill of Materials Be Faked?
As with any electronic file, yes, there’s always a risk of that happening. However, there are safeguards that could be used to prevent digital tampering and to prove something is legitimate. One such method is to digitally sign your file before releasing it with your software. A digital signature is a way to simultaneously show that your file is authentic and hasn’t been tampered with since it was signed.
Is a digital signature required for use with SBOMs? No. But as Dean Coclin (CISSP) points out, one good option is to “use a cloud-based code signing service, which allows for uploads of code (or the hash) to be signed by the service and returned to the developer.”
Final Thoughts on SBOMs (And Why They Should Be Part of Your Risk Management Strategy)
Trying to mitigate risks for your software without knowing all the different components nested within it is like going to a dinner party when you have a severe peanut allergy and not bothering to ask if any of the dishes contain nuts. It’s not a smart practice and puts you at risk of a severe medical — err, cybersecurity episode. Instead, ask those questions and avoid the potential headaches, non-compliance issues, financial penalties, and lawsuits that you otherwise may face.
Nowadays, it’s uncommon for software developers to write all of their code from scratch. It’s far more common for devs to integrate open source code into their products because it’s cheaper and easier. As the saying goes: Why reinvent the wheel?
Making software bills of materials a standard component of every piece of software is a smart move. SBOMs provide the added layer of transparency organizations need to keep their data and networks secure and aid in making the vulnerability assessment and mitigation process a lot easier.
The next time you’re shopping for new software, be sure to speak with your vendor to see if their products have SBOMs available. Don’t be surprised if they don’t but be sure to ask anyway to make it clear that this is something you want to see as a software purchaser or operator.
