Security News > 2021 > April > CISA, NIST Provide New Resource on Software Supply Chain Attacks

The software supply chain is part of the information and communications technology supply chain framework, which represents "The network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services," CISA and NIST explain.

Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.

A software supply chain attack occurs when threat actors manage to compromise a vendor's environment and poison their software before it reaches customers, with the purpose of infiltrating the customers' systems.

"These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers," CISA and NIST note in a document titled Defending Against Software Supply Chain Attacks.

"Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute. [] In general, advanced persistent threat actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security," CISA and NIST say.

Defending Against Software Supply Chain Attacks also includes recommendations for software vendors, such as to implement and follow a software development life cycle and integrate a secure software development framework to ensure they won't supply malicious or vulnerable software.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/tYREsdveCJM/cisa-nist-provide-new-resource-software-supply-chain-attacks