Cyberattacks in the software supply chain
IN September 2022, Philippine Airlines lost the personal data of frequent flyers when its IT provider was hacked, adding another example of supply chain attacks that have plagued businesses around the world over the past year. .
The cyberattack on a third-party IT provider to the airline resulted in the theft of names, dates of birth, nationality, gender and points balance, among other details.
Although it is unclear how the malicious actors managed to penetrate the victim’s systems, the incident once again reinforces the need to tighten security against supply chain attacks.
For many computer systems today, the use of third-party software in one form or another is unavoidable, such is the interdependence of the Internet and the complexity of the digital infrastructure.
It is estimated that 40-80% of the lines of software code come from third parties such as libraries, components and software development kits. Unfortunately, they are one of the reasons for the increased vulnerability of third-party production code that enters digital services.
By 2025, 45% of organizations worldwide would have experienced attacks on their software supply chains, a threefold increase from 2021, according to research firm Gartner.
Lack of visibility
This is a problem facing any digital economy and the Philippines is no different as it will provide more services over digital channels in the years to come. The way forward must involve better detection of these vulnerabilities without impacting performance.
For starters, you can only defend yourself against something if you know what you’re up against. Since many organizations don’t look in great detail at the many third-party programs they use, they often work with the expectation that the code is free of vulnerabilities.
Even with a vulnerability detection tool in place, many organizations fail to act on a threat because alerts are often too general or unable to tell the difference between production and non-production code. This means that the work required to clean up an infected or vulnerable system is too vast to be undertaken by already beleaguered security and enforcement teams.
Today, organizations continue to struggle with Log4Shell, a critical vulnerability found in a widely used Java-based logging component (Log4j). This flaw allows hackers to execute code on a victim’s system and gain control over it. This has impacted countless servers and applications that used Java software, as Java software is widely used in today’s modern IT infrastructure.
Yet when the threat first emerged last year, few organizations had the ability to quickly find the exact location of the vulnerability in their IT systems because Java was so widely used. The challenge was knowing where to look even when the dashboard lit up with a warning.
What is needed is greater accuracy, which could only be possible with better visibility into existing solutions. Application scans in CI/CD, application agents or application inventories (SBOM) are valuable approaches as part of a comprehensive security strategy.
However, these approaches also have drawbacks, including false positives that waste time through alert fatigue as well as a performance impact that puts a heavy burden on Java teams and their applications.
Take Azul Vulnerability Detection, a new software-as-a-service (SaaS) product that continuously detects known security vulnerabilities that exist in Java applications. With zero false positives and zero performance impact, it’s ideal for production use and addresses the growing risk to the business from software supply chain attacks.
Azul Vulnerability Detection uniquely identifies code executed using sophisticated and highly granular techniques inside Azul JVMs (Java Virtual Machines) and maps them against a Java-specific database of common vulnerabilities and exposures (CVE). This produces more accurate results, even for custom code and shaded components, so IT teams can access a vulnerability and resolve the issue quickly and efficiently.
Gain in agility
Admittedly, vulnerability detection tools are not new. Unfortunately, some end up providing additional security at the expense of performance. This means business agility suffers as the security tool slows down transactions and requires more IT resources and costs to operate.
Organizations need to find a way to overcome the software supply chain problem. They need smarter tools that could boost security without adding overhead or reducing performance.
When it comes to Java application security, the difference with Azul Vulnerability Detection is its use of Azul Java Virtual Machines (JVMs), which provide highly granular, run-time visibility into running code and s he is vulnerable. This enables faster remediation of vulnerabilities with significantly less operational overhead.
Additionally, because the tool is agentless, it avoids the performance hit typically associated with other security tools that require teams to install and maintain separate software. Taken together, Azul Vulnerability Detection makes security a byproduct of simply running Java software.
A winnable battle
Security should be built in from the start instead of being an add-on feature in a connected world. In other words, it needs to be embedded in software or part of a technology stack that is then used to build other digital services. Unfortunately, supply chain attacks against trusted vendors and third-party code pose substantial risk to the business.
The key to winning battles against increasingly sophisticated threats is being armed with the right tools that provide a solid defense while maintaining the agility that organizations need today. Even as cyber threats evolve, they must believe that they can ward off the bad guys over time and continue to deliver trusted digital services and experiences to their users.
Dean Vaughan is Azul’s Vice President, Asia-Pacific. Azul is the only company in the world that focuses solely on Java, which continuously detects known vulnerabilities in production applications.