A recent study revealed that more than half (56%) of organisations in Hong Kong admitted being unable to detect or stop supply chain attacks. The disruption to critical infrastructure brings serious consequences, including threats to security and vulnerability to cyber threats.
With an increase in the number and sophistication of supply chain attacks, cybersecurity professionals need to become aware of strengthening the security of supply chains.
Supply chain cybersecurity ecosystem in APAC
Bisham Kishnani, head of Security Engineering, APAC & Japan, Check Point Software Technologies says that in APAC, challenges riddle the supply chain cybersecurity ecosystem, especially with integrating Zero Trust principles into the DevOps supply chain.
He says one of the major challenges of supply chain cybersecurity is the skills gap, particularly “a lack of expertise within teams to effectively implement Zero Trust methodologies, especially around infusing into DevSecOps.”
For the Check Point Software Technologies executive, fragmented ownership and the absence of DevSecOps roles remain to challenge supply chain security.
Different teams, such as network security, DevOps, and CISO, often possess distinct responsibilities within the supply chain, leading to disjointed approaches.
Bisham Kishnani
Moreover, he observes that a lot of organisations still lack DevSecOps roles, missing an opportunity to have an intermediary between various stakeholders.
Kishnani also notices the challenge of having siloed tool usage with “organisations relying on isolated tools to address supply chain vulnerabilities, addressing issues in a piecemeal fashion rather than considering the entire application lifecycle.”
Emerging challenges and threats
He mentions three highly sophisticated threats in the Asia Pacific (APAC) Region: Application Programming Interface (API) based attacks, supply chain-based attacks, and repo jacking.
“This complexity arises due to the prevalent adoption of modern application frameworks, such as DevOps and microservices, in the development of new applications.
Microservices, which constitute the backbone of these frameworks, heavily rely on intercommunication through APIs, establishing new data pathways. Traditional security measures like firewalls are ill-equipped to discern and mitigate API-based attacks while conventional Web Application Firewalls (WAFs) struggle to comprehend the intricate east-west communication inherent in API interactions,” he adds.
He posits that next-generation application and API security solutions should “integrate with the ingress controller in Kubernetes environments or operate through lightweight nano agents, meticulously segregating control, data, and management planes.”
Moreover, he says that one significant risk factor lies in the reliance on public repositories for approximately 60% of code components in applications and infrastructures.
“Organisations inherently place trust in these repositories, assuming the integrity of the code retrieved. However, if a public repository succumbs to a breach and malicious code infiltrates, the entire foundation of trust is compromised. Disturbingly, widely-used public repositories frequently fall victim to compromise, with instances of key and frequently utilised codes being clandestinely cloned,” Kishnani explains.
AI and ML, double-edged swords
For Kishnani, artificial intelligence and machine learning present a double-edged sword. Despite immense benefits in automation and analysis of various processes, he believes emerging technologies are equally advantageous to cyber attackers.
Mark Ostrowski, head of Engineering U.S., East for Check Point, agrees, “My prediction for 2024 is that high impact, sophisticated attacks will hide behind the themes of AI/ML and create larger data breaches much like MOVEit and other supply chain attacks.”
Strengthening supply chain security
“As I frequently emphasise, merely adopting a "Shift Left" approach is not sufficient,” Kishnani posits.
“The concept of shifting left can vary in its application, spanning from the runtime, repository, to the CI/CD pipeline levels. Instead, organisations should adopt a comprehensive platform approach, delving into what I call a "Deep Shift Left," he explains.
Kishnani says a “Deep Shift Left” means scrutinising every aspect of the code from the inception of code development. He adds that code scrutiny is not only the role of developers but also extends throughout an organisation’s pipeline to address potential vulnerabilities at any stage.
“Every line of code, irrespective of its nature, should undergo a thorough examination to ensure its integrity…Ultimately, security measures should be ingrained from the inception of both application and infrastructure development, persisting throughout the entirety of their lifecycle,” he explains.
Recommendations
To ensure stronger security protocols within the supply chain, Checkpoint recommends leveraging vendor-risk assessments to ensure the security of third-party ecosystems.
It is also vital to encourage third-party partners to adopt threat intelligence systems or to segment the network to limit third-party access to every network element.
In the workplace, Checkpoint suggests assigning permissions to employees with only the software required to perform their task functions and automating threat prevention to identify the threats coming from ecosystem partners.