What are Supply Chain Attacks?
Falling victim to a supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with privacy regulations. And without the right security protocols, supply chain attacks can go undetected for long periods of time. Recent research found that 93% of companies suffered a cybersecurity breach through weaknesses in their supply chain in 2021.
Types of Supply Chain Attacks
Web applications have two main components: the server and the client. The server holds the application code, stores data and processes operations. The client is the user’s browser where the web application is delivered.
To carry out supply chain attacks, cybercriminals can target the server or the client.
- In server-side supply chain attacks, cybercriminals compromise the code that runs on the server side. This allows attackers to steal stored customer or employee data, access and modify internal configurations, hijack bandwidth or intercept money transfers.
How do Supply Chain Attacks Work?
More than 99% of websites use code from third-party vendors to build their sites. Examples of this are social sharing buttons, advertising iframes, payment iframes, chatbots, analytics and metrics scripts, A/B testing scripts for experiments and helper libraries such as jQuery.
Why Are Supply Chain Attacks Difficult to Detect?
Client-side supply chain attacks can easily go undetected for several reasons.
- Frequent code changes: Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their immediate knowledge.
- Nth-party vendors: Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire supply chain.
- Insufficient security reviews: Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and thus may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.
Impact of Supply Chain Attacks
Supply chain attacks negatively impact businesses in several ways.
- Damage to brand reputation and consumer trust: If your brand suffers a supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company.
- Lawsuits: Consumers may file lawsuits against businesses who expose their personal data to cybercriminals in a supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
- Regulatory fines: Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
- Impaired functionality: Supply chain attacks can affect a company’s ability to deliver products and services. This affects business continuity and creates data inaccuracies, making it hard for applications that use a compromised vendor to function. This results in revenue loss and a competitive disadvantage.
- Lower stock value: Your stock price may plummet following a supply chain attack, and investors may sell your stock to circumvent losses.
All in all, supply chain attacks lead to severe financial losses and consequences.
How to Prevent Supply Chain Attacks
The first step in preventing supply chain attacks is vetting your third-party code vendors. Before onboarding a new vendor, ask them detailed questions about their data security protocols and compliance with privacy regulations. Include specific security requirements and penalties for non-compliance in vendor contracts to mitigate the possibility of supply chain attacks.
Limitations of Traditional Security Solutions
Traditional cybersecurity solutions like web application firewalls (WAFs) are insufficient in protecting the client-side against client-side supply chain attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of malicious code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration and deployment cycles.
Content security policies (CSP) are often the first step for many web application security professionals. Because CSPs were originally used for protection against cross-site scripting, they need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website. And with CSP, a script is either on or off. More granular control is needed to prevent data exposure with disrupting script functionality.
How Does HUMAN Prevent Supply Chain Attacks?