Category: Security

Why are organizations turning to software-defined wide area networks? Explore why organizations should consider adopting an SD-WAN approach to revamp their digital networks

Editor’s Note: This is a guest blog contribution from Nahla Davies, a software developer and IT/tech writer. Davies explores what a software defined wide area network is, how it’s commonly used, and how you can transition your business to using this connectivity approach.

Increasing your organization’s networking capabilities, security, and bandwidth is necessary to enable corporate growth. This is particularly true for multi-site organizations that increasingly rely on cloud apps, teleconferencing, and video streaming tools. The COVID-19 pandemic has exacerbated these bandwidth concerns; outdated wide area networks (WANs) are incapable of scaling adequately to meet increasing demand, forcing organizations to look for a better solution to support their digital strategies.

It has been possible for individuals and businesses of all sizes to access high-speed Internet connections and critical data thanks to software-defined wide area networks, or SD-WANs. The SD-WAN market, worth $1.4 billion in 2019, is predicted to be worth $43 billion by 2030, according to Prescient & Strategic (P&S) Intelligence research. This means a compound annual growth rate (CAGR) of more than 38% over the forecast period (2020-2030).

But what is an SD-WAN and how could using one benefit your organization?

Let’s hash it out.

What Is a Software-Defined Wide Area Network? SD-WAN Explained

SD-WAN is the abbreviation for “software-defined wide area network.” It’s a way for you to connect your devices, systems and offices globally using multiple network connection methods, alternating between connections based on whatever provides the greatest connectivity in any given moment. The idea behind this flexible approach of distributing (routing) traffic across your network is to help you save money and increase network performance.

SD-WAN is a term that refers to a programmatic and automated way to manage your global enterprise’s network connectivity and circuit expenses through the use of virtual services. This software-based virtual network technology is more relevant than ever before for an increasingly remote workforce. It can assist you in providing your company’s network with reliable connectivity and significantly help tackle internet of things (IoT) security risks to ensure data privacy.

Other features of the SD-WAN include connecting your onsite and offsite resources instantly. SD-WANs use software to manage the connection between remote branches, data centers, and cloud instances.

Need a visual aid to understand these concepts? Check out this video:

https://www.youtube.com/watch?v=u2N7q1w26Mg

SD-WAN Versus a Traditional WAN or LAN

A local area network, or LAN, is the traditional network that works within your on-premises office to allow devices locally to connect and communicate with one another in a single, limited area. This differs from a vast wide area network (WAN), which connects devices located in remote offices or branches with applications and other network resources. WANs require a multitude of routers to operate at the locations to enable the branches to communicate — each of which must be managed and have rules created for it by your IT admin.

In general terms, LAN refers to the interconnected devices from within a building, while WAN refers to the interconnected devices from outside of the building. Both of these differ from an SD-WAN, which refers to routing traffic to different remote locations. SD-WAN also improves the hybrid WAN through packet management, bandwidth efficiency, dynamic path optimizations, applications monitoring and improved performance.

SD also makes it a lot easier to separate networks (such as public, private, and IoT networks). Historically, this would be a challenging task because it would require different switches or subnets. But some SD-capable routers can handle this separation fairly easily and quickly.

Popular Use Cases for SD-WAN

Before implementing an SD-WAN, it is vital to identify and organize your organization’s needs and its role in developing your business strategy. The following use cases represent a set of possible uses of SD-WANs (depending on the particular environment and your specific business goals). Always make sure to ask how SD-WANs can benefit your business and customers.

1. Direct Internet Access (DIA)

Integrated and cloud-based security offers better protection against Internet assaults. Dedicated internet access frees up bandwidth on the WAN while enhancing security and speeding up internet usage for branch employees and visitors. Branch employees and guests can connect locally via DIA, which reduces traffic on your WAN and improves internet speed. As a result, the branch now has a direct connection to the Internet, saving time and money.

Despite being predominantly software-centric, SD-WAN still requires some sort of hardware devices to operate (i.e., SD-WAN routers). However, while traditional WAN requires quite a lot of work and time to handle network operations, SD-WAN can reduce those efforts to a minimum. In fact, several SD-WAN devices offered today on the market such as devices offered by Cisco are plug-and-play (zero-touch provisioning) and brought online without administrative intervention at the branch/remote office.

2. Branch-to-Branch Connectivity

Organizations that need high-throughput, continuous connections from multiple offices have traditionally relied on multiprotocol label switching (MPLS) circuits or virtual private network (VPN) tunnels. MPLS circuits are a telecommunication routing method that transfers data from one node to another by identifying existing pathways between endpoints, while VPNs are designed to encrypt data shared over public networks.

SD-WAN has emerged as a new solution for branch-to-branch connections. It can minimize the burden and cost of managing the connectivity of branch offices with MPLS. SD-WAN simplifies and accelerates the procedure, so no excess time is wasted in standard ways to set up internet breakouts from branch/remote offices is time-consuming and mistake-prone. In contrast to typical networks, SD-WAN solutions do not depend on the traditional hub-and-spoke model, which might cause performance issues.

Existing ways to safeguard all user sites can be slow and error prone. Consider a scenario where dozens of users use a cloud-based service from different locations. SD-WAN can conveniently connect those users into one virtual location using SD-centralized WAN control and automation.

When branches link directly to the data center or cloud, transit time and overhead are reduced, bottlenecks are eliminated, and application performance is improved.

3. Application Performance Optimization

SD-WANs help network administrators define service-level agreements (SLAs) for specific applications by using SD-WAN to craft and enforce their own internal SLAs that match the requirements of the business. Specifically, teams can set parameters for uptime, fix times, and latency. This ensures that traffic is routed efficiently to meet those SLAs while also alleviating congestion, improves application performance, and possibly lowers networking costs. It allows the use of centralized application controls, which automatically direct critical programs around network difficulties

When an SD-WAN is in place, applications no longer need to be re-routed through the central site. SD-WAN enables managers to prioritize mission-critical apps and route traffic via the best transport available. For example, if you need to prioritize voice traffic over email, you can configure SD-WAN devices to prioritize voice packets (think VoIP) over other data. This will contribute to ensuring a smooth call experience.

Moreover, SD-WAN managers can prioritize key applications while deprioritizing less important ones using application-aware quality of service (QoS) capabilities. This can be used to offer precedence to the most critical applications, resulting in faster response times when the apps are managed directly. They can also monitor the SD-WAN environment at a high level to detect faults in real time.

4. Cloud Migration

The superior branch and cloud connectivity, application prioritization, and better visibility into network traffic are all good reasons why it’s worth considering SD-WAN for your cloud-first strategies.

Traditional WANs can only support applications from a central data center. But SD-WANs have been designed to fulfill the most stringent demands of cloud computing. They:

• Enable direct cloud access to all applications regardless of where the employee is located physically.
• Support application-based routing, allowing every app to use the most appropriate wide-area service per its needs.
• Enable all organization’s branches to get direct access to the internet.

On top of this, multi-cloud apps offer visibility and help simplify management.

6 Benefits of Transitioning to SD-WAN

Now that we’ve covered the basics of SD-WAN, let’s look at some of how SD-WAN can help enable digital transformation within your organization.

1. Secure Networks With Comprehensive Data Encryption

Experts aren’t in agreement about the security of SD-WANs. Some say they offer better security; others say they provide weaker security. Security teams would be wise to keep in mind that just because SD-WAN offers encrypted traffic as an initial level of defense, further defenses will be a must. But encryption isn’t everything; because you’re talking about a distributed system, encryption alone won’t cover all security aspects. You need other protections in place as well.

However, there is no industry standard for implementing security into SD-WAN. Several approaches include:

• Ensuring PCI DSS Compliance — Always ensure PCI-DSS compliance when transmitting sensitive customer or business financial data. SD-WAN allows you to segregate POS systems and other critical networks so you can isolate the POS system and its transmitted financial information from the rest of the network (better for data security). This is possible thanks to the flexible segmentation and provisioning capabilities that SD-WAN offers.
• Enabling encryption — Many SD-WAN tools enable you to use AES-256 encryption to secure traffic by application, so you can protect site-to-site traffic at any of your branch locations.
• Using next-generation firewalls — Even though most SD-WAN solutions come equipped with built-in firewalls, they often only include basic security filters such as packet filtering to reduce unauthorized access. However, they lack end-to-end coverage that remote enterprises require. Next-generation firewalls offer more advanced security methods, including deep packet inspection (DPI) and intrusion detection and prevention capabilities.

On that last note, firewalls included in low-cost SD-WAN appliances especially are often no different from those found in routers sold by big-box electronics stores. SD-WAN may have some capabilities that appear to improve cybersecurity, but these technologies aren’t always as robust as they would appear to be. Some SD-WAN suppliers advise you to replace them with a separate cloud-based firewall solution. This will also enable you to implement a centralized policy control for all locations and, when needed, push policy changes to multiple branches in a matter of seconds.

A new trend that complements SD-WAN and security technologies, known as SASE (an acronym for Secure Access Service Edge that was created by Gartner), can help your network be secure. In a nutshell, SASE is a kind of SD-WAN on steroids. It can do everything SD-WAN can do and more. It provides advanced, integrated security features, and it’s deployed in the cloud. Thanks to SASE, organizations can easily implement zero trust security (i.e., no device, user, or system should be trusted by default).

2. Fast and Dependable Connectivity

Enterprise networks usually fail to keep pace with the digital transformation of their consumers. SD-WAN can offer the necessary adjustments. It can help businesses support digital technologies such as voice over IP (VoIP), IoT, and corporate productivity apps.

Companies can use SD-WAN to establish fast and dependable connectivity for next-generation services and bring all their branches, sites, or locations on-net for business applications. They can do all this while also improving their capacity to track and regulate end-user experience at each location.

3. Better Network/Service Availability and Uptime

To succeed in the digital age, your company must first decide whether to implement a digital transformation strategy. However, a seamless failover is just as important if a critical process is dependent on uptime and availability. You might also want to look into application recognition with deep SSL inspection and traffic steering. The advantage of SD-WAN is its capacity to fine-tune and alter connections to assure peak performance.

4. Increased Data Transportation Flexibility

SD-WAN provides flexibility and agility through dynamic resource allocation, application-aware traffic routing, and short lead times for adding capacity and connectivity. Zero-touch provisioning and automatic network administration also simplify and minimize operation and management.

Creating an underlay network using SD-WAN is a lot more flexible than a traditional WAN. Paired with other integrations (such as ADSL, VDSL, and even 4G LTE), there’s virtually no limit to what you can do. This flexibility in transportation will enable branches to be connected more efficiently, regardless of their geographical location or any carrier limitations.

Utilizing the most cost-effective or acceptable bandwidth is possible depending on where a business or site is located.

Thanks to a centralized control base, it intelligently and securely routes traffic across several locations while concurrently adjusting bandwidth where it is most needed. Enterprises can benefit from broadband hauls without having to dismantle everything.

5. Instant Return on Investment

Organizations may expect a big return on their investment with a wholly integrated SD-WAN solution. Most IT executives predict at least 25% to 50% ROI from SD-WAN.

How? You may see an immediate return on investment due to:

• Reduced infrastructure costs
• Greater efficiency and reliability of cloud-enabled network services
• Consolidation with intelligent, flexible, and secure routing
• Greater flexibility due to on-premises or cloud-based controllers
• Integrated LTE connectivity

In some cases, enterprises may expect a 100% ROI from a fully integrated SD-WAN solution within three years. Some clients can accomplish this in just one year of implementation.

Hence, there’s less need to spend money on more expensive multi-protocol label switching (MPLS) links because direct internet links can handle the need for more bandwidth.

6. Preparation for Future Digital Innovations

SD-WAN becomes one component of the giant digital transformation puzzle in a business setting. Shifting to a software-driven virtual network could pave the way for future digital innovations because digital transformation requires the right mindset and a plan.

Remember P&S’s SD-WAN market size increase to $43 billion (by 2030) mentioned at the beginning of this article? This may be true for a variety of reasons. For starters, modern workplaces increasingly need to simplify their networks and more flexibility and efficiency when it comes to deploying cloud-based solutions.

If your company relies on a traditional WAN, you’ll want to consider turning to infrastructure-as-a-service (IaaS) and SaaS. Once done, you can add SD-WAN and replace your router-centric WAN with it. It’ll help you ensure reliable connections, faster access to applications, and integrated security. It may also help you cut costs by streamlining and automating your remote app distribution to offices globally.

How to Transition Your Existing Digital Network to SD-WAN

Right from the outset, security and networking specialists need to work together to develop comprehensive security policies with scalability in mind.

While you’re at it, don’t forget to define your transformation goals and SD-WAN solution scope and then move on to the following steps:

1. Assess Your SD-WAN Management Portal

Your SD-WAN management portal needs to be robust. So, you must identify if there are any issues with the SaaS application, data center, device stack performance, and network. Ensure that the application and connectivity health can be viewed in a single dashboard. It makes it easier to identify and report problems, ensuring that end-user performance is visible. If you want to make network modifications and configurations at any branch office in any part of the world, you should be able to use a portal.

2. Adapt to Real-Time Changes

Security solutions, such as segmenting and encrypting network traffic, must be able to respond to changes in the network that occur in real-time. The reality is that keeping up with the dynamic connections is essential to SD-WAN operations. This method can help the security function track and analyze data while also encrypting and decrypting with SSL/TLS so security teams can stay on top of potential security concerns.

3. Automate Your Security Mechanisms

SD-WANs are designed with integrated, automated security mechanisms built into the network as a best practice. As noted previously, just be aware that certain SD-WANs come equipped with only basic security features (such as basic firewalls); as such, you may want to consider updating to stronger versions.

4. Mitigate Software Vulnerabilities

Modern tech may introduce new gaps into your network architecture, compromising its security. Ensure that your SD-WAN provider has a rigorous vulnerability scanning mechanism and quality assurance (QA) process before releasing their code to the production environment. You should also inquire about their approach to security regarding industry and regional compliance considerations or whether they have conducted any vulnerability scanning and obtained the results.

Lastly, ensure that your SD-WAN provides regular updates to fill security patches.

Top Criteria for Selecting an SD-WAN Vendor

Corporate decision-makers and network planners intending to install an SD-WAN should consider a set of criteria that helps identify a solution’s capabilities and whether they align with the company’s goals. Here are some factors you should look for while picking an SD-WAN vendor.

1. Strong Network Security

When selecting an SD-WAN vendor, it’s good to consider security concerns. Businesses should partner with an SD-WAN provider that places a high priority on security when offering the service. Secure tunnels and encrypted traffic are standard features in SD-WAN, which provides a significant layer of security.

An IT provider, on the other hand, should provide additional layers of security such as:

• Round-the-clock monitoring. This should be managed and provided by a managed service provider (MSP) that can monitor and report on its ongoing security status.
• Automated threat detection. This can be managed via real-time threat detection software.
• Managed firewalls. Make sure the service covers the administration, maintenance, and monitoring of your firewalls
• Alerts and notifications. You should be notified instantly regarding potential security breaches
• Security incident remediation. What steps are in place to ensure that the breach will be addressed if/when it occurs? Plan ahead of time.

This is all part of laying the groundwork for the overall design you’ve chosen.

2. Control and Visibility

To effectively manage a network, optimize application performance, and keep the entire environment safe, it’s essential to have comprehensive visibility in every aspect of it. As SD-WAN evolves, it can resolve issues more quickly and gain more insight into future expansion.

3. Features and Customization Capabilities

The extensibility of SD-WAN providers should be considered when evaluating the qualities of their products and services. Also, make it a priority to simplify the process of adding further capabilities that promote scalability when needed, such as:

• Cloud connectivity
• Encryption key rotation
• Data Analytics
• Programmable APIs (so you can customize and scale SD-WAN gear’s configurations)

4. WAN Bandwidth Requirements

Think about what your WAN bandwidth needs are now and how they might grow in the future (three-five years). Ensure you’re getting the bandwidth you need to get the most out of your system.

As a general rule, the average small business with 10 or fewer employees shouldn’t need more than 10-15 Mbps. But a business that involves downloading large files of content on a regular basis, backup services, and cloud-based file-sharing services will likely need at least 50 Mbps.

5. Costs

Due to the SD WAN’s lack of hardware controls, it’s often regarded as being less expensive than traditional hardware-based networks. But there’s no doubt that the cost of an SD-WAN solution differs from one provider to another. Monitor your consumption expenditures to ensure they’re decreasing as anticipated.

If you’re content with the performance, make sure you only pay for what you’re getting. Don’t settle for shoddy work at a premium price.

6. Deployment Capabilities

It is now possible for your company to centrally manage the deployment of services across a distributed network using SD-WAN and network function virtualization (NFV), or utilizing virtual machines in place of physical appliance hardware.

Final Thoughts on Transforming Your Digital Networks With SD-WAN

SD-WAN provides an effective way for businesses to manage their remote network connectivity means via virtual services. Businesses globally are already benefiting from SD-WAN, and further technological advancements can inevitably increase the amount of business support they provide.

Cloud and SaaS services like Workday, Salesforce, Microsoft 365, and Dropbox can benefit from SD-WAN technology optimized for excellent application performance in on-premises data centers and public or private clouds. This way, cloud-first companies can deliver higher application quality of experience (QoEx) to their customers.

 

Whether you’re a software creator or software buyer, you’re vulnerable to software supply chain attacks. Here’s how you can protect your company and customers…

What would happen if a popular software (one that’s widely used across your organization and is sourced from a reputable vendor) turned out to have malicious code in it that allowed hackers to remotely access and control your employees’ machines? Unfortunately, that’s not just a hypothetical — that’s how many real-world (and costly) cyber attacks have actually happened.

Software supply chain attacks are one of the scariest types of cyber attacks because they’re carefully planned to cascade “downstream” to achieve the biggest impact possible. The idea here is that the attacker tries to compromise every person and organization using the affected software product or component.

A good example of a supply chain attack is the SolarWinds hack in 2020: hackers gained access to the SolarWinds build servers and inserted malicious code into the codebase for their Orion software. This allowed the attackers to gain access into any organization that installed the Orion software. This means that organizations using the well-known, reputable software product (Orion) were unknowingly giving a sophisticated hacker group access to their systems. Thousands of organizations were compromised this way, including major U.S. federal government and NATO agencies.

As such, software supply chain attacks are a growing concern for both software makers and software buyers:

• NCC Group reports that supply chain attacks globally increased 51% between July and December 2021.
• Anchore’s 2022 research shows that 62% of respondents indicate that software supply chain attacks have impacted their enterprises in the last year.
• It only takes one line of compromised code in one piece of software you use to impact all of your customers (and more).

Knowing this, how can you protect your organization against supply chain attacks? Let’s take a look at the basics of supply chain security, then explore practical advice from eight IT and cybersecurity experts on how you can protect your organization and customers. We’ll cover important tips for both software creators and software buyers — we’ve got a little something for everybody.

Let’s hash it out.

Software Supply Chain Security 101

What Is the Software Supply Chain?

Generally speaking, the software supply chain includes everything involved in the software development lifecycle. Practically, that means anyone and anything that could contribute or modify code that’s used in a software product, including:

• The software vendor who makes a software product, including their developers and systems.
• Creators of any third-party components or libraries included in the software (this could include individuals, organizations, and open-source communities)
• Distributors and other vendors who may be able to modify software before it’s delivered to customers
• Systems or parties involved in updating software once it’s been installed on the customers’ devices.

In many cases, the supply chain for a given software product can be very extensive, because most software is built using a mixture of code developed in-house and (many different) third-party components. Some of these third-party software components are so ubiquitous that we hardly even think about them — for example, it’s estimated that there are over one trillion SQLite databases in the world because SQLite is used as a component by so many popular software products.

What Is Software Supply Chain Security? It’s How You Prevent Software Supply Chain Attacks

Software supply chain security is about preventing bad guys from using your software supply chain as an attack vector to carry out attacks on your customers. The true targets in software supply chain attacks are your customers; you and your software products are just pawns they can use to achieve their goals.

Software supply chain security is about doing everything possible to prevent bad guys from infiltrating your network and deploying harmful code within your products that will be sent to customers. It encompasses all the policies, tools, and actions you (as a software vendor, for example) use to prevent these attacks.

When there are one or more vulnerable elements in your software supply chain, then your software product and overall organization are at risk. In a broad sense, supply chain cyber security is about securing everything relating to the process of how your software is created, distributed, and supported.

In particular, software supply chain security focuses on ensuring that malicious code or known security vulnerabilities cannot be added to a software product at any point. This includes ensuring that:

• Software developers are writing code that follows security best practices
• Third-party components (e.g., open-source libraries) are free of malicious code or vulnerabilities
• Your codebase is protected against unauthorized code insertions or modifications and you’re tracking all changes that are made (and who made them)
• Systems used to build/deploy software is protected against unauthorized access or injections
• Software is protected against modification and unauthorized additions during distribution/delivery process to customers
• Update processes to protect customers from receiving fake updates or legitimate updates that have malicious code injected

Why Software Supply Chain Security Matters

The truth of the matter is that software supply chain security issues affect everyone. Regardless of whether you’re creating software, supplying it, or buying it from others, no one likes unpleasant surprises. And that’s precisely what you get when you create or operate software with unknown vulnerabilities. But why is implementing strong software supply chain security so important? Let’s quickly go over a few key reasons:

• You have a professional responsibility to yourself and/or your customers. As a software creator, you have a duty to adhere to software security standards. You’re responsible for safeguarding the software products, data, and supply chain that connects you with customers.
• You’re regulatorily required to secure your data and systems. Building on the responsibility point — you’re also typically required to do so due to industry and regional regulations (depending on where you’re geographically based or countries you do business in globally). A couple of recent related examples can be seen in the National Institute of Standards and Technology (NIST) Special Publication 218 (SP-218), NIST Secure Software Development Framework, and U.S. Executive Order (EO) 14028. This executive order aims to enhance software supply chain security regarding the use of third-party software that federal agencies purchase and use. The NIST guidelines provide information relevant for software producers as well as the software purchasers (i.e., federal agencies).
• Your reputation and customers’ trust are on the line. Trust matters, and once it’s broken, you may not get it back. In fact, nearly a quarter (24%) of surveyed consumers told Privitar that they’d either terminate business with companies after they’ve been breached, or they’d do less business with them in the future. As you can imagine, a data breach can have a devastating toll on your customers’ bottom lines, customer relationships, and future business opportunities. Now, imagine if they’re breached because of an issue with your software (due to its vulnerable software supply chain). As the software creator or its supplier, that would have a devasting effect on your reputation as well.
• There’s no “re-do” button in software supply chain security. When it comes to securing your software logistics network, either you do it right or you don’t. Closing the stable door won’t do you any good if the horses already ran out. Dedicate the time and resources to secure your software supply chain from the get-go to prevent attacks from occurring.

How to Secure Your Organization’s Software Supply Chain

Most articles that talk about software supply chain security cover the topic from the perspective of software developers. And this is important, as this guide applies largely to that audience. But there are other considerations as well from the perspective of software procurers who buy the software that’s created.

Simply put:

• If you’re a software developer: You should be implementing the following list of 10 best practices and tips.
• If you’re a software buyer: Your goal should be to choose vendors who follow best practices like these.

1. Devote the Appropriate Resources to Securing Your Organization

Don’t be stingy when it comes to people, time, and money. Keeping your software supply chain secure should be among the highest priorities, and the reality is that accomplishing this requires a lot of resources.

Now, we’re not saying that throwing money at the problem will magically make all your security woes go away. But having a dedicated budget that’s set aside strictly for security purposes is a smart move and provides the necessary resources your organization needs to harden your defenses. This is money that can be spent in various ways, including:

• Upgrading your firewalls and other cyber security systems (such as intrusion detection and response tools)
• Adding skilled and knowledgeable workers to your in-house IT team
• Investing in third-party service providers to carry out assessments and penetration testing
• Incentivizing security-related innovations and initiatives
• Increasing cyber awareness and best practices usage among your employees through various trainings

2. Make Security an Organization-Wide Priority for Everyone

A good application security strategy is one that encompasses all elements of your software supply chain. Jeff Williams, co-founder and chief technology officer at Contrast Security, says that achieving a secure supply chain (i.e., as secure as you can make it) boils down to knowing:

• What code you write
• What tools you use to develop and create software
• How you secure your code and systems
• Which third-party applications you buy and use

While some leaders may argue otherwise, security isn’t a siloed initiative. It’s a group effort — one that all employees (and other network users) participate in that should be led from the top of your organization. Bradley Jackson, the Director of Software Engineering here at The SSL Store, underscores this idea:

“It’s not the job of one person or a QA team to find vulnerabilities or point out flaws. It’s a team effort — from the developers, to DevOps, DBAs, marketing & bizdev, to ensure they’re not asking for functionality that can’t be done securely — all the way to the CEO to not rush a product to market at the sake of security.”

3. Understand Your Dependencies (Know What’s Going Into Your Software)

Asaf Ashkenazi, CEO of Verimatrix, points out an uncomfortable truth: you often don’t know what code is used in your software and where it was sourced from.

“Whether an organization is CREATING and distributing software products, or they are just USING [third] party software, the libraries used are likely to come from different sources. Whether it is an open source library or a licensed software solution, it’s vital their organization track where these components are used to allow for fast patching in case of a discovered vulnerability or routine security updates.”

Open source repositories are great because they save time and money by not having to create code from scratch. But open source resources can also introduce vulnerabilities that, otherwise, wouldn’t exist in your software or systems. This is why Steve Judd, senior solutions architect at JetStack, by Venafi, cautions using open source repositories without first auditing and evaluating the risks associated with them:

“If a threat actor does compromise a repository, they have the potential to launch a one-to-many attack, which has become the standard in supply chain attacks. Because open source repositories are used so widely by developers looking to save time and resources, popular [artifacts] could be used by thousands of companies. So injecting code into one repository could send shockwaves across multiple organizations, and potentially millions of end users. Ultimately, once the malware makes its way into an application or website, hackers can create disruption, steal data and IP, spy on users and create backdoors.”

Dan Chernov, chief technology officer at DerSecur, describes software-based businesses using the analogy of traditional brick building. In this case, he says that removing one brick from a key location can leave the integrity of a structure at risk of collapse. (Think of a brick that’s located at the top of an arch; if a key brick is missing, it can lead to failure in the overall design.) This is why it’s important to know what you’re putting into your software and to keep tabs on what you’re using and whether those elements have any known vulnerabilities:

“Software vulnerabilities are the open door for hackers into the organization, inside the IT systems which process valuable data. That’s why its vitally important to check all company’s software, developed either in house or via outsourcing as well as open source components, for vulnerabilities and backdoors.

To support this, your organization needs to commit management and resources to tracking the sources of your components and implementing application security practices. It’s an initiative that Chernov says should be performed and managed by your chief information security officer (CISO).

Put a Software Bill of Materials (SBOM) to Use

Another way to help secure your supply chain is to create a software bill of materials (SBOM) for your products. If you’re a company using third-party software applications, ensure they offer SBOMs. In a nutshell, an SBOM is a list of all the various components contained within your software, web app, or device (such as libraries, tools, and plugins). This way, you know exactly what tools, code, and resources have been used to create your software artifact.

Think of an SBOM like a recipe card or ingredient list on a packaged food product. If you have a food allergy, you can look at a food product’s list of ingredients to know whether it is something safe for you to eat. If it contains something you’re allergic to, you know that eating it would be risky and could make you sick (or worse).

Likewise, knowing what elements (proprietary and outsourced) are contained within your software helps you and your customers achieve greater supply chain visibility and security. Something else that’s vital to visibility and security is knowing whose hands are in which pies.

Brian Fox, CTO of Sonatype and a member of the Open Source Security Foundation (OpenSSF), calls out the importance of SBOMs for all organizations:

“SBOMs are especially important when identifying cybersecurity risks in critical application infrastructure across industries. It’s also worth noting that the U.S. government is constantly releasing new directives and best practices to secure the software supply chain to ensure the private vendors they work with provide the most secure products.

While agencies both in the U.S. and internationally may soon be required to create SBOMs to retain those government contracts, I believe organizations will quickly recognize their importance in not only cybersecurity but general software hygiene – and it will become a standard practice in any organization creating software.”

4. Practice Secure DevOps (SecDevOps or DevSecOps)

Implementing a secure development and operations life cycle should be a no-brainer. But for some reason, some companies either haven’t received the memo or they choose to put their fingers in their ears and start humming. So, since we have your attention, let’s be clear: if you develop or publish software, then it’s imperative that you follow a secure software development life cycle.

Bad guys are always looking for ways to compromise systems and gain access to valuable information. By not securing your devops life cycle, you’re not only leaving your own systems at risk but also jeopardizing your customers’ systems and data.

Williams emphasizes this point, showing that it’s the sum of all parts, and not just one-off independent elements, that makes for greater software supply chain security. He describes SolarWinds as being a wake-up call that highlights the importance of securing supply chains that extends beyond traditional cyber security methods.

“We cannot fix this with an occasional vulnerability scan or penetration test. We must prevent adversaries from getting into the software factory via code, libraries, tools, and platforms.”

Prioritize Security Over Speed or Other Interests

This next truth is a bitter pill your company’s sales and finances execs may not want to swallow: the security of your software should take priority over the speed of its release and distribution. According to Williams:

“Collaboration between developer teams and security teams is key here. But there has been friction in the past as developers are under pressure to work at speed, and security teams are under pressure to work securely. Unfortunately, these concepts don’t always align, and one is prioritized over the other – usually speed over security, hence why we see so many attacks targeting software supply chains.”

Digitally Sign Your Software Using a Code Signing Certificate

Code signing is a technique that enables you to attach a special signature of sorts to your code, containers, software and other executables. This cryptographically based method ensures the integrity of your software (i.e., so your customers know it hasn’t been tampered with since you signed it) and that helps customers know your software is authentic (i.e., that it was published by you and not an imposter).

Now, it’s no secret that we love code signing here at Hashed Out. After all, it’s a public key infrastructure (PKI) security technique that enables you to protect your software and assert your digital identity. (And, as you know if you’ve read our previous articles, we love digital identity!) Unfortunately, not all companies or developers opt to use them. This results in unsightly “unknown publisher” or “software not trusted” warning messages displaying to their users:

5. Manage Access to Your Systems and Servers

Ah, yes, people. Human beings are, simultaneously, the greatest contributors and risks to the security of your supply chain and organization overall. All it takes is one moment of inattentiveness for an employee to fall for a phishing email that could compromise their credentials. (Yup, it happens to the best of us.)

Of course, securing access is a general cyber security best practice for all organizations. But when it comes to software supply chain security, it’s crucial to ensure that no one tampers with your software during the development process in particular.

Limit Who Has Access to What

Limiting how many people have access to privileged systems also limits the exposure risk of those systems when things go wrong. An attacker can only access the limited systems and data associated with that individual user’s profile. This is why access to your systems, data, and servers (especially your development and production servers) should be managed carefully and privileged access given sparingly.

Here’s a good rule of thumb to abide by: everyone doesn’t need access to everything. Only assign permissions and privileges to users whose roles and responsibilities require them.

Use Secure Authentication Methods

It’s no secret that cybercriminals love passwords. Compromising passwords is a very lucrative practice for bad guys. People tend to use really crappy passwords that are easy to guess via brute force attacks, or they give them to attackers who trick them using phishing tactics. A good way to avoid password-related security issues (i.e., have strong password security) is to avoid using them altogether.

One of the things we love to highlight here at Hashed Out is the use of public key infrastructure. (PKI is the foundation of internet security as we know it.) When it comes to secure authentication, something that PKI offers is the ability to use cryptographically secure mechanisms (i.e., a client authentication certificate) to:

• Log in to systems without having to use usernames and passwords that can become compromised (and leave your systems at risk), and
• Verify it’s really your employee who’s trying to access a protected resource (i.e., not an unauthorized user or cybercriminal).

Another option is to use multi factor authentication (MFA) apps that allow you to authenticate without having to type in any passwords. For example, you might receive an app-based push message on your mobile device that prompts you to authenticate whenever you try to access a protected resource.

6. Scan and Monitor Your Digital Assets

Even if you’re doing everything right to keep your network, website, IT systems and other digital assets as secure as possible, attackers can exploit vulnerabilities to upload malware. The same can be said about your website. When customers then visit your website, instead of downloading your legitimate software or patches, they may find themselves installing malware instead that’s been uploaded to your site.

Part of this entails keeping your website’s plugins, themes, and codebases secure. Jeremy Clifford, CEO of RouterCtrl, has worked as a network specialist and engineer for more than 20 years. He says that GitHub is not just a way to maintain a code history, but it’s also a repository that can help you secure and protect your supply chain.

Clifford shares his insights regarding the importance of maintaining a secure codebase:

“Keeping the codebase secure should be the number one priority of […] any tech company. Not only could nefarious code bring your site down, for example, but they could also insert code into your site that would collect and send personal data, turning your innocent site into an unwilling accomplice to a crime.

[…] require that all code merges require multiple peer reviews and that merges into the master or production branches can only be done by certain approved parties. This way you’ll get multiple sets of eyes on each code change to ensure that only the intended changes make it in.”

Know What Software and Devices You Have on Your Network

Having visibility is critical to network security. If you don’t know what connects to it (devices, applications, etc.), how can you keep it secure? This is the underlying concern of shadow IT for many organizations.

Having unknown and untracked assets on your network like jumping into a lake filled with alligators while wearing a blindfold: you’ll never know what direction an attack is going to come from, and there’s no way to defend yourself.

7. Patch and Update Your Systems Regularly

If your systems aren’t patched and secure, then it means there are vulnerabilities that bad guys can exploit to use as an access point to your network (and, ultimately, your development and production servers) Patches are kind of like life vests: getting one won’t do you any good if you don’t bother wearing it when you go boating.

Let’s take Microsoft’s Patch Tuesday updates as an example. Almost every Tuesday, Microsoft rolls out updates for different products to help organizations and users mitigate the latest vulnerabilities. Back in 2017, Microsoft rolled out an update of their legacy Windows operating systems to mitigate security issues relating to vulnerability within their systems that resulted in an exploit known as Eternal Blue. However, many companies globally failed to apply the update within a reasonable amount of time.

The result? A global ransomware attack that resulted in catastrophic damages for governments and private sector entities in more than 150 countries. For example, the United Kingdom’s National Health Service (NHS) found its operations screeching to a halt. Thousands of surgeries and appointments were canceled and, in some cases, institutions had to divert emergency responders to other facilities. There’s also the issue of ransomware attacks causing fatalities by targeting critical infrastructure…

Eliminate Outdated Components and Software

Time isn’t kind in many aspects. As humans, we grow older and we start to feel like we’re falling apart.  The same happens with software and other technologies over time — they become less secure, particularly when their manufacturers stop maintaining them with new patches and updates.

Ashkenazi, who has a background in systems design engineering and architecture, says that a critical step that often gets overlooked is managing and rotating out old technologies. “Continually ask yourself if you’re using a timely cycle to age out some of the stuff that is old and probably (or definitely) less secure.” He points out that some suppliers stop supporting their software with updates and security patches. So, it’s important to examine your software supplier’s track record to see if they’re one of the ones that continue support or drop off after a few years.

8. Set Security Requirements With Third-Party Vendors

Do you know what your software vendors are doing to keep their software — and, by proxy, your organization — secure? If the answer is no, we’re not surprised.

The NCC Group’s research we mentioned at the beginning of the article shows that almost half of surveyed organizations (49%) neglect to set security standards with their service providers ahead of time. But what makes matters worse is that 34% also indicate that they don’t “regularly monitor and risk assess their suppliers’ cyber security arrangements,” either.

This is particularly concerning considering that third-party risks are frequently the result of contractors or service providers having access to sensitive systems and data. Think of the 2013 Target data breach when the network credentials of one of their third-party HVAC vendors were hacked, giving attackers access to Target’s systems.

Ilam Padmanabhan, solution delivery manager at Nets Group, has two decades of experience in the tech and financial services industries. Padmanabhan says it’s important to both stay abreast of what vendors are doing to keep their software secure and to keep them informed about any vulnerabilities they discover on their systems:

“To ensure the security of their suppliers, [companies] should conduct regular security audits and require their suppliers to meet certain security standards. They should also establish communication protocols so that they can quickly notify their suppliers of any vulnerabilities that are discovered.”

Conduct Risk Assessments of Your IT Systems

Keeping an eye on your IT ecosystem entails more than just monitoring your network. It’s also about keeping tabs on everything that touches your network — applications, personal and company devices, IoT devices, etc. You need to know who has access to everything, including third party vendors and contractors. Part of this entails performing cyber security risk assessments that help you identify vulnerabilities and prioritize mitigation efforts.

If you’re not sure how to perform a cyber risk assessment, no worries. We’ve already got a resource ready to go for you. Of course, simply figuring out what risks there are and how to prioritize them isn’t enough. You also need to have plans in place for how to respond to them and for how to keep your business going…

9. Create Business Continuity, Incident Response and Disaster Recovery Plans

We get it — accidents happen and, sometimes, things go wrong. These types of scenarios span the gamut from natural disasters to man-made issues like cyber attacks. But if you’re smart, you’ll plan ahead for when things go wrong (because, inevitably, they will) so you’ll have plans in place for how to respond to bad situations.

A few examples of some of the plans you can create and implement include:

• Business continuity (BC) plan — A BC plan provides guidance on keeping your business up and running while crap is hitting the fan. It’s easier said than done, but with the right plan and people in place, it can be enough to keep your business from failing in the interim.
• Incident response (IR) plan — This document serves as your guide for what to do when you’re in the thick of things and feel like you’re facing down a dragon. The goal is to stop whatever’s happening from happening and to prevent further damage from occurring.
• Disaster recovery (DR) plan — A DR is all about helping your business in the aftermath of whatever ungodly scenario your organization has just endured. This typically involves implementing data backups and trying to get your organization back to being fully functional.

10. Train Your Employees on General Cyber Security and More Specialized Practices

A key part of any cyber security strategy is providing educational training and resources to your staff and other network users. In general, everyone who touches any company device or has access to your network should be trained to increase their cyber awareness and to recognize threats. But the training doesn’t have to stop there; you also should provide more specialized, in-depth or technical training to increase the security of your privileged users. This is something that you can offer in house or consider hiring a third party to handle for you.

Regardless of which approach you take, the important takeaway is to educate your employees. They’re your first line of defense in all aspects of cyber security, including the protection of your supply chain.

Train Your Organization’s Software and Technology Buyers

The same training concept applies to technology buyers, too. If you want to ensure that your company is using only the most secure software, educate your employees who are responsible for making those purchases. Provide them with guidelines and standards they can refer to when vetting prospective software creators and their products.

Meet the Experts

We offer a special thanks to all of the experts who shared their insights with me to write this article. They’re listed in alphabetical order by last name:

• Asaf Ashkenazi, CEO at Verimatrix
• Dan Chernov, chief technology officer at DerSecur.
• Jeremy Clifford, CEO of RouterCtrl.
• Brian Fox, CTO of Sonatype and an OpenSSF member.
• Bradley Jackson, Director of Software Engineering at The SSL Store.
• Steve Judd, senior solutions architect at JetStack, by Venafi.
• Ilam Padmanabhan, solution delivery manager at Nets Group.
• Jeff Williams, co-founder and chief technology officer at Contrast Security.

TL;DR: A Quick Overview of Supply Chain Security

Still reading? Awesome. We hope you’ve found these experts’ insights informative and useful. If you jumped to this section to save time, we’ve got a quick summary for you of why software supply chain security matters to software creators and buyers alike:

• Strong and effective supply chain security comes from the top-down. Security isn’t a one-man-band kind of thing. It’s an initiative that should be led by your organization’s board and other leaders and should be owned by everyone.
• Know what’s in your products (or the third-party products you use). As a provider, you need to review and approve every component that is included in your software. This helps you (and your products’ users) achieve greater IT environment visibility and security.
• Carefully manage access and implement secure access methods. Only assign access to those who need it to do their jobs. Use authentication methods that offer the highest levels of security (like MFA and PKI-based authentication).
• Keep your systems patched and free of vulnerabilities. This should be a no-brainer but it’s worth reminding everyone anyhow. Unpatched systems are vulnerable, and vulnerabilities are big, flashing neon signs that tell cybercriminals “I’m open to attack!”
• Digitally sign your software to inform users your software is legit and unaltered. If you want your customers to know that your software is authentic and hasn’t been modified since you made it, a good way to ensure this is to digitally sign it. Attaching a digital signature uses cryptographic functions to assert your digital identity and offer assurance about the integrity of your software.

Alright, that’s it. We’ve kept you long enough and are sure you’ve got work to get back to now. Remember: your software is only as secure as you make it. Invest the time, resources, and efforts now to save yourself a lot of headaches — and money — in the future. Don’t allow yourself to sacrifice security for the sake of getting your products out faster.