Dr Marc Manzano, general manager, cybersecurity at SandboxAQ and Ryan Hurst, SandboxAQ advisor, explore the role of cryptography in the software supply chain.

Securing the software supply chain has become a critical priority due to high-profile breaches and increasing regulatory oversight. International organisations like CISA and NIST stress the urgent need to improve how we inventory and manage the software and services we depend on. 

The growing complexity of modern software systems, coupled with the potential for widespread disruption from a single compromised component, underscores this heightened focus. Recent events, such as the SolarWinds breach, have demonstrated how interconnected systems can be exploited. Similarly, the recent outage related to CrowdStrike’s software update highlights how a single error can rapidly cascade throughout the global economy. 

Regulatory bodies worldwide, including the European Union with its EU Cybersecurity Act, are actively working to address the supply chain vulnerabilities that contribute to these incidents.

As security leaders, we must not overlook a crucial aspect of the software supply chain: cryptography. By establishing comprehensive standards for cryptographic usage, key management, and continuous monitoring, we can more effectively address these challenges.

The Problem: Inadequate Cryptographic Management

Modern software relies on multiple third-party libraries, open-source components, and numerous dependencies. 

This interconnectedness can hide vulnerabilities and create security blind spots, which is also true for these components’ cryptography. According to the Verizon Data Breach Investigations Report (DBIR), leaked credentials—often synonymous with leaked cryptographic keys—are among the most common attack vectors. These machine and workload keys can become compromised due to inadequate key management practices. This then grants attackers unauthorised access to sensitive systems and data.

The lack of automated tooling to efficiently manage the myriad of software components often leaves organisations unaware of the deep security risks associated with their software dependencies. Outdated or insecure libraries, such as those using broken cryptographic algorithms or outdated protocol versions, may be integrated into critical systems. This makes it difficult to fully understand and address the risks posed by poor cryptographic practices in your software supply chains and deployments.

Ensuring that third-party vendors adhere to modern cryptography management practices is essential for mitigating these risks. Widespread use of weak cryptography can expose the entire supply chain to catastrophic vulnerabilities. 

The Heartbleed bug in OpenSSL, used by many third-party providers, exposed millions of systems to data breaches, underscoring the need for cryptographic standards and monitoring for them in your supply chain. The Debian OpenSSL bug, where a change in the code led to predictable keys, affecting millions of SSL/TLS keys, highlighted how critical it is to ensure robust and secure implementations. Additionally, regulatory requirements such as HIPAA mandate the encryption of ePHI, with non-compliance leading to significant fines, as seen in the $16 million Anthem Inc. settlement. This highlights the critical need for robust cryptographic management to avoid legal repercussions and ensure compliance.

Mitigating Hidden Threats

There are many vulnerabilities that affect cryptography specifically, from insecure cryptographic libraries and implementations to inadequate monitoring and outdated cryptographic protocol versions. 

Ensuring compliance with good cryptographic management practices, robust key management, and comprehensive reporting are the first line of defence. Regular audits, integrated into procurement processes, help maintain up-to-date and effective cryptographic practices. Continuous scanning and threat intelligence feeds keep organisations ahead of emerging threats. 

Organisations must also stay informed about changes in industry standards and update their practices accordingly to ensure ongoing compliance. Recognising the importance of these practices, the White House’s Executive Order on Improving the Nation’s Cybersecurity has mandated the discovery and inventory of cryptographic keys to bolster software supply chain security.

Operational Continuity is another critical aspect of securing the software supply chain. Disruptions caused by outdated certificates, cryptographic migration issues, or attacks significantly impact business operations. For example, the Microsoft Teams outage in 2020, caused by an expired certificate, demonstrated how failures in certificate management could take down business-critical services. This incident highlighted the importance of maintaining robust cryptographic management practices to ensure operational resilience and reduce the risk of business disruptions.

Supply chains often involve the exchange of sensitive data and proprietary information between partners. 

Without modern cryptography management measures in place, it is challenging to reduce exposure to cryptographic vulnerabilities or to provide evidence for compliance with cryptography-related guidelines. The Codecov attack in 2021, where attackers manipulated scripts to exfiltrate sensitive data, highlights the necessity of secure cryptographic practices to protect intellectual property and maintain data integrity. 

This breach demonstrated how vulnerabilities in the supply chain could be exploited to access and steal valuable information, emphasising the criticality of having robust cryptographic measures in place.

Robust Key Management

Implementing automated key rotation and revocation processes is essential to reduce the risk of key compromise. However, focusing on last-mile key management is equally important. 

This means ensuring secure key distribution and usage at the endpoint, where credentials and keys are often most vulnerable. Many organisations fall short by focusing solely on “secret sprawl”. They focus too much on centralising keys and credentials but then distribute them across deployments without proper controls. This narrow focus leads to “secret spray,” increasing the risk of key leakage and unauthorised access. A stark example of the consequences of inadequate last-mile key management is the Storm-0558 incident. Chinese hackers were able to forge authentication tokens by exploiting poorly managed cryptographic keys. This breach highlighted how failures in endpoint key management can lead to significant security incidents. It also emphasised the need for robust last-mile key management to close the loop on end-to-end security.

Additionally, employing tools that provide real-time monitoring and alerting for cryptographic missteps and policy violations is crucial. Similarly, requiring vendors to maintain and regularly update Software Bills of Materials (SBOMs) helps ensure transparency of all components. SBOMs provide a detailed inventory of all software components. However, they do not capture the cryptography they use. This makes it hard to identify and address cryptographic vulnerabilities when they become known. 

This is where discovery tools come into play. They help you hold vendors accountable for their security promises by discovering how they use cryptography, and how you use the cryptographic capabilities of their products.

The Approach: Centralised Cryptography Management

Incorporating strong cryptographic management into the heart of software development and operations is essential for overcoming these challenges. 

A centralised cryptography management system ensures that all software components comply with rigorous cryptographic standards. This system should automate key management, continuously monitor cryptographic activities, and ensure adherence to industry regulations and standards.

Final Thoughts

Protecting the software supply chain requires a proactive strategy in cryptographic management. 

Organisations must adopt comprehensive standards, implement effective key management practices, and maintain detailed inventories of cryptographic usage. Continuous monitoring and thorough reporting are equally crucial to ensure ongoing security and compliance.

  • Digital Supply Chain
  • Risk & Resilience

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.