HPE: Protecting Supply Chain Software from Security Attacks
Research from Checkmarx has found that 63% of security professionals from the US, Europe and Asia-Pacific have been victims of supply chain software attacks over the last two years.
Meanwhile, HPE outlines its supply chain security innovation, aiming to enhance its customers’ “trust and resilience, from edge to cloud.”
Supply chain software attacks spark concern
Checkmarx’s research found 56% of respondents indicated their organisational applications include open source code packages, with 75% expressing significant concern about the security of their software supply chains.
Nearly 60% of respondents described supply chain software as a priority, whilst 54% are planning to use, or investigating the use of, a solution.
The report also reveals that although AppSec leaders are increasingly prioritising supply chain software security, their progress remains slow.
"We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team,” says Amit Daniel, Chief Marketing Officer at Checkmarx.
HPE responds to evolving threats
In response to these rising security threats, HPE created a new set of practices to ensure its software is developed to withstand any threats.
- Architectural risk analysis and threat modelling to identify, quantify, and address the security risks associated with an application.
- Reducing attack surfaces and utilising secure development best practices during software design and development.
- Static code analysis to confirm the application is free of malicious code on an ongoing basis.
- Security testing from the inside-out, conducted on all HPE software and firmware, including unit testing, solution-level integration testing, penetration testing, and vulnerability scanning.
- The company’s employees and software vendors must complete regular training on secure software development policies and requirements.
“Providing more secure products and services to our customers and helping to enable their secure operations is our priority,” adds Niysaan Vlasak, VP of Engineering and Enablement Operations at HPE.
“We believe that constantly strengthening, improving, and maintaining a more cyber resilient and secure supply chain environment is of essential value to our customers, thereby strengthening their supply chains and daily business operations.
“We will continue to invest in mitigating cybersecurity threats that may impact our products and services throughout the value chain, and we are committed to creating innovative solutions to ensure that our supply chain is more secure, resilient, and transparent.”
In addition to these measures at a development level, HPE also protects its customers through its supply chain operations:
- It maintains stringent factory controls, including access controls and physical security procedures, to prevent unauthorised access to the supply chain.
- Secure factory transmissions are established for HPE developed and third-party applications, transmitted through secure channels and hosted in a secure environment, continually running virus scans with automatic updates on regularly patched systems.
- The number of its software build environments has been reduced to help minimise the opportunity for infiltration.
- Quarterly assessments of the company’s software suppliers are conducted to ensure adherence to HPE security policies and requirements.
- Software bill of materials (SBOMs) are created and maintained with secure system tools throughout the product life cycle.
Why are these threats rising?
HPE also highlights Cybersecurity Ventures’ research in the report, which estimates that, by 2025, software supply chain attacks will cost the global economy US$60bn, rising to US$138bn by 2031.
HPE identifies that the rise in these supply chain security threats is due to the increasing, widespread availability of open-source software.
This, combined with a lack of software provenance, has made software supply chains vulnerable to these cyberattacks.
Common attack pathways include code signing, software updates and open-source code, all of which can lead to damaging consequences for supply chain software providers and their customers’ businesses.
"The complexity of supply chains, built on intricate digital connections, makes them an inherent security risk,” says Oseloka Obiora, CTO of RiverSafe.
Oseloka concludes: “A supply chain is only as strong as its weakest link and if all parties aren’t monitoring and managing their security risks then each connection becomes vulnerable.”
******
Check out the latest edition of Supply Chain Magazine and sign up to our global conference series – Procurement and Supply Chain LIVE 2024.
******
Supply Chain Digital is a BizClik brand.