The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance this week following the compromise of the SolarWinds software that affected thousands of entities across the United States and beyond. The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes with concrete recommendations for both vendors and their customers with discussion on the Secure Software Development Framework (SSDF) and Cyber Supply Chain Risk Management (C-SCRM).
What is a software supply chain compromise?
The adversary’s intent is to compromise third-party software being installed on a given target’s system to gain access to information or capabilities of the target entity. This avenue of attack, when successful, might lead to compromise of many or all those using a given vendor’s software package. This was the case with the recent SolarWinds compromise when the Russian SVR targeted one company’s software update and patch infrastructure and opened the door for themselves to a wide swath of customers, to include those…
