A Month of Reckoning for SaaS software creators and consumers

An illustration of transitive and deeply connected software supplychains

The U.S. was caught off guard by foreign interference in the 2016 election. Given the powerful role of social media in political contests, understanding the Russian efforts was crucial in preventing or blunting similar, or more sophisticated, attacks in the 2020 congressional races. Tracking back to 2016, it was far more difficult to trace Russias experimentation on Facebook and Twitter social networks, who essentially weaponized the social network platform to become engines of deception and propaganda.

Fast forward to end of 2020 and switching context to software supply chain domain, this `new` meltdown began on Dec. 13 when Reuters reported that nation-state hackers potentially linked to Russia had gained access to email systems at the U.S. Commerce and Treasury departments, and that the attackers infiltrated by way of SolarWinds Orion softwareupdates.

This is not in any vein similar to recalls affecting products such as automobiles, food and toys that tend to affect a narrower supplychain.

The outcome is evidenced by shares of SolarWinds rallying downward ~ 23%. On the contrary, a BlackRock iShares fund of cybersecurity stocks surged nearly 10% last week and rose another 3.5% this week entering Thursday. FireEye rose this week to a 5-year high, Microsoft topped a 90-day peak and Palo Alto Networks jumped to an all-timerecord.

Whats the alternative? said Venkatesh Shankar, marketing professor at Texas A&M University.But the magnitude of this breach is not just within the software industry, he said, noting SolarWinds customers span countless industries.

Kartik Kalaignanam, a University of South Carolina marketing professor, said traders are expecting organizations will bolster their defenses even if it means purchasing services from companies that werehacked.

Although one could argue each one of them has some sort of flaw in their system, theres a feeling theres going to be more spending happening, and the market will be pushed up overall, Kalaignanam said.

~ SOURCE: Paresh Dave,Reuters

As a vendor, this is clearly not the time to exploit the misfortune of SolarWinds as sooner than later it could be you dealing with these circumstances. Try not to ambulance chase or victim shame by portraying that your solution is a miracle cure to all such problems.

This can happen to any one of our software services that weve authored or supply chains that weve subscribed into. Besides combing through our logs and incident response data we would need to elevate this discussion and understand how software services are assessed for security during a procurement phase. Unfortunately, CIOs still rely on security questionnaires (little more than excel spreadsheets) to assess the security posture of their vendors prior to signing MSAs.. The consumer of a SaaS solution or services provided by an on-premise agent have little or no understanding of the transitive supply chain of the services that theyprocure.

In this retrospective exercise, lets attempt to understand the following

Every executive (VPs, Directors, CxOs) of a SaaS based companies (both producing and consuming side) are introspecting their own security posture in light of the SolarWinds incident. The impact is far reachingas

When you buy software, youre buying a matryoshka doll of various vendors products nested inside and connected to the product [that] you think youre buying, says Joel Fulton, who was the former CISO of Splunk. Your relationship is between you and your suppliers unseen tertiary pyramid. Combing through all of those pyramids is practically impossible, so CIOs will likely have to rely on randomchecks.

This unseen tertiary pyramid (as Joel states) is continuously evolving on a daily basis. Engineering teams procure new services, install new software agents and add new open source libraries/frameworks to their software stacks. Merely exporting and assessing their asset inventory at a point and time cannot assist in effectively quantifying exposure andrisk.

Todays software stack is a web of overlapping dependencies (depending on OSS supply chain and consuming SaaS/API services). Why? Because incentives are aligned with speed and release velocity over everything else.

Borrowing from Steve Yegges excellent post where he drew a clear distinction between products and platforms on the basis of Matryoshka principle.

At its simplest, a product is an application that is as good as it will ever be. A platform is an application that allows other things to be built with it that even its creators may be surprised with what users do with it. The easy way is to design a system using the Matryoshka (or Russian Doll) principle so that each layer is complete and perfectly suited to what the layer does so that other layers may be built on-top or aroundit.

The Matryoshka principles led to the creation of many successful platform plays like Stripe, Segment, PayPal, AppDynamics, DataDog, NewRelic, SalesForce, Facebook, Google, Slack, etc that benefited the greater good of our software ecosystem

In an attempt to abuse this principle, the Russians and other nation-state actors have now shifted their attention from social-media deception to supply-chain infiltration.

While analyzing the recent SolarWinds supply-chain attack security researchers have found a second backdoor, suggesting involvement of another hacker group, unrelated to the suspected government-backed threat actor that compromised SolarWinds.

Tracked as Supernova, the backdoor is a memory resident web-shell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems running the compromised version of Orion. Supernova web shell was used to download, compile and execute a malicious PowerShell script (dubbed CosmicGale by some researchers).

How can we keep up with this mutation?

We at ShiftLeft have been studying and provisioning backdoor/insider detection policies using code property graph since mid 2019. Speak to us and we can help assess and recommend more efficient processes and procedures.

A Month of Reckoning for SaaS software creators and consumers was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.