The Global Software Supply Chain: Why it Matters
You’ve read the news. You’ve heard the stories surrounding networks that have been compromised through targeted hacks, back doors, and embedded malware.
It is no secret that data breaches and malicious network attacks are on the rise – and so is concern on the side of network administrators.
Networks are a mission-critical part of daily and long-term operations, and any type of outage, can bring these enterprises to a grinding halt—and in some cases even cause life-threating situations. Protection of end-user devices and enterprise computers and databases has received a great deal of attention for some time now. This is an essential component of overall security and must be continually improved upon, but we also need to look at what’s being done to assure the equipment within the network is free from back doors, malware code, and other vulnerabilities that provide unintended or unauthorized access.
A malicious attacker can exploit a vulnerability in the source code just like a vulnerability can be exploited in an end user device—and once in the system can steal, change, and/or destroy information or the network itself.
Take for example recent news reports about unauthorized code found in a vendor’s firewall operating system used by the U.S. government. This unauthorized code could allow a knowledgeable attacker to gain administrative access to the firewall and decrypt VPN connections (i.e. decrypt the communications passing through the firewalls). There is the potential for a significant security risk when equipment with unverified source code is placed into an enterprise’s network infrastructure.
Supply chain and custody of code often raise concerns when suppliers, distributors, and business partners can be located anywhere around the world. When a back door or malicious code can be installed without the knowledge of the equipment vendor, how can code be protected and assured before entering the enterprise network?
There is a real and current need for independent source code and binary code analysis coupled with proactive methods such as software diversification to modify the code structure in a way that reworks the entire binary composition of an application without affecting the underlying functionality.
Many organizations do their own internal code analysis, but there could be a perceived conflict of interest in that. Dedicated independent verification and validation (IV&V), however, can provide software-level assurance that the network equipment being used is secure at every layer.
By giving the same attention to the software on a network that we give to the end point devices, we have the opportunity to significantly cut down on attacks, data loss, and down time, saving critical information and ensuring continuity of operations.
Syed M. Hussaini is a Senior Sales & Solutions Engineer with LGS Innovations in the Products, Solutions and Applications (PSA) Group. Mr. Hussaini has over 25 years of experience in the field of Data Networking and Wireless Communications that includes software and hardware development, systems engineering, applications engineering and technical sales.