Do you really know what’s in your software?
Nowadays, open-source is everywhere—in almost all proprietary codebases and community projects. For companies, the question isn’t if you are or aren’t using open-source code. It’s what open-source code you’re using and how much. If you aren’t aware of what’s in your software supply network, an upstream vulnerability in one of your dependencies can affect your software, making you susceptible to potential cyberattacks.
What is a Cyberattack in the Software Development Lifecycle?
Cyberattacks in the software development lifecycle are an emerging kind of threat that targets software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
Attackers hunt for unsecured network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.
Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software development lifecycle attacks, vendors are likely unaware that their apps or updates are infected with malicious code when released to the public. The malicious code then runs with the same trust and permissions as the app. The number of potential victims is significant, given the popularity of some apps.
Types of Cyberattacks in Software Development Lifecycle
- Compromised software building tools or updated infrastructure
- Stolen code-sign certificates or signed malicious apps using the identity of the development company
- Compromised specialized code shipped into hardware or firmware components
- Pre-installed malware on devices (cameras, USB, phones, etc.)
How Does a Cyberattack in Software Development Lifecycle Work?
Cyberattacks in the software development lifecycles piggyback legitimate processes to gain uninhibited access into a business’s ecosystem. This attack begins with infiltrating a vendor’s security defenses. This process is usually much simpler than attacking a victim directly due to many vendors’ unfortunate myopic cybersecurity practices.
Penetration could occur via multiple attack vectors. Once injected into a vendor’s ecosystem, the malicious code needs to embed itself into a digitally signed process of its host. This is the key to gaining access to a vendor’s client network. A digital signature verifies that a piece of software is authentic to the manufacturer, which permits the transmission of the software to all networked parties.
By hiding behind this digital signature, malicious code is free to ride the steady stream of software update traffic between a compromised vendor and its client network.
Compromised vendors unknowingly distribute malware to their entire client network. The software patches that facilitate the malicious payload contain a backdoor that communicates with all third-party servers; this is the distribution point for the malware.
When a victim installs a compromised software update from a service provider, the malicious code is also installed with the same permissions as the digitally signed software, and the cyberattack is initiated.
Once installed, a remote access trojan (RAT) is usually activated to give cybercriminals access to each infected host for sensitive data exfiltration. A cyberattack in the software development lifecycle could be used as a prelude to a mass ransomware attack.
Recent Instances of Cyberattacks In Software Development Lifecycles
Cyberattacks in the software development lifecycles allow cybercriminals to infect many victims without having to deploy phishing attacks on each target. This increased efficiency has boosted the prevalence of this attack method late.
- Dependency confusion, 2021 – In early 2021, security researcher Alex Birsan (@alxbrsn) unveiled a software development lifecycle cyber-attack vector named “Dependency Confusion.” He breached the systems belonging to the likes of Microsoft, Apple, Uber, and Tesla. The goal of these cyberattacks is to implement unauthorized code within the target’s internal software build system. The technique functions by uploading malicious packages to public code repositories and giving them a name that’s the same as the package stored in the target developer’s internal repository. Developer’s software management apps often favor external code libraries over internal ones, so they end up downloading and using malicious packages than trusted ones.
- Mimecast, 2021 – Cloud security firm Mimecast reported that hackers had compromised an authentication certificate used by the vendor to validate its services on Microsoft 365 Exchange Web Services. Roughly 10% of Mimecast customers use applications that rely on the compromised certificate, but Mimecast said that only a handful was affected.
- SolarWinds, 2020 – This event will likely be the ubiquitous example of a cyber attack in the software development lifecycle deep into the future. In March 2020, nation-state hackers penetrated internal U.S government communications through a compromised update from its third-party vendor, Solarwinds. The attack infected up to 18.000 customers globally, including six U.S government departments:
- The Department of Energy
- The National Nuclear Security Administration
- The U.S Department of State
- The U.S Department of Commerce
- The U.S Department of the Treasury
- The Department of Homeland Security
Investigations are still ongoing. It may take months, or even years, to discover the final impact of a cyberattack dubbed by experts as one of the most sophisticated cyberattacks in the software lifecycles ever deployed.
The Financial Impact of Cyberattacks on the Software Development Lifecycle
The financial impact of a cyber attack in the software development lifecycle could be massive, irrespective of the size of a business. Several factors add to the resulting cost: breach investigation efforts, loss of business due to reputation damage, and regulatory fines.
In addition to regulatory burdens, the high price of data breaches results from the prolonged remediation time of each incident. 280 days is about 75% of the year, which is a significant amount of time to pay for additional corrective action while profit margins dwindle or even plummet.
The key to driving down costs in a cyberattack in the software development lifecycle is to have a finely tuned remediation process at hand that can be activated at speed.
Speedy detection and remediation could also minimize the time cyber attackers spend in your ecosystem, which will, in turn, reduce the amount of compromised sensitive data.
Way Forward: How to Guard Against Cyberattacks in the Software Development Lifecycle?
The key to defending your software development lifecycle is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced.
Complacency is the primary impetus to software development lifecycle cyber-attack vulnerability. This is partly because businesses are unaware of how susceptible even the most trusted vendors are to data breaches. To keep your third-party vendors compliant, security questionnaires should be sent to each of them regularly to scrutinize their security posture continuously.
Two-factor authentication could also prevent cyber attacks in software development lifecycles. If Vendors activate this security protocol, threat actors will be presented with an additional chasm to cross between themselves and a vendor’s internal systems.
About the Author
Dan Levin – President
Dan is a founding member of Liventus and currently serves as the President. He oversees business operations, growth and manages software development.