Can a website be vulnerable to a supply chain attack?
Over the last few years when supply chain attacks have become the main type of attacks used by hackers to penetrate systems, I’ve got a lot of questions about it ...
One of the most critical and dangerous cyberattacks that any website could be vulnerable to is the supply chain attack. Those types of attacks are very difficult to detect and stop as they exploit the trust relationships between the supplier and his clients. So how to prevent a supply chain attack against a website?
Here is a list of the five steps that you should follow to prevent any supply chain attack in the future:
Supply chain attacks are a trending risk for the whole world even for big companies with a higher security program and maturity. Black hat hackers have discovered that suppliers are the weakest node in the security chain of big companies and that’s why they have started to target them. In this blog post, I will walk you through the different steps and actions you should perform to prevent any supply chain attack against your website.
A website is not always a simple application. Most modern web applications are a combination of multiple plugins developed for multiple customers that work in harmony with your website. Some of those plugins could have been developed by one supplier or multiple ones depending on the nature of your website.
Moreover, many other services could also be used for your website. The most common one is a writing or supervision service, or even an SEO service.
Therefore, the first step you should do is identifying and documenting all the types of suppliers and the services that they provide. You cannot secure what you don’t even know if it exists or not. This documentation will give you a clear view of what was introduced in your website source code.
Once you know exactly what your suppliers are, you should start studying your risk. To do that you need to first define the risk criteria for each type of supplier. For example, what are the most important suppliers, what are the critical dependencies of your website, what are the most important plugins … etc). This task will help you then define the measures for risk treatment based on good practices.
Once you finish your risk analysis you will need to monitor your supply chain risk and threats.
Unfortunately, the supply chain attack exploits the strong trust relationship that exists between the supplier and his clients. Therefore, managing this relationship is required to avoid any future supply chain attack.
To do that here is some control points that you should put in place to
All those elements should be included in the first contract you do with your service provider to avoid any misunderstanding in the future. Moreover, you can also monitor the service performance you get in terms of security, by performing regular security audits to verify adherence to the defined requirements.
You should also get a written assurance from your service providers that no hidden features or backdoors are implemented in the website, not even those implemented for accelerating the development process.
In some cases, you may need to perform some changes in this contract, and to do that you should first define the processes to manage those changes in the first contract you sign with your supplier. (changes in technology, security requirement …)
Secure development is the main problem when talking about websites. Most companies still do not care or don’t have the right competencies among their development to deal with this aspect, especially for website development.
Therefore, ensure first that the service provider you are choosing does have security experts to deal with your security requirements. Then you should ensure that the infrastructure used to develop and deliver your website is also secure from any possible attacks.
In some cases, you can even create your own development environment and give your supplier controlled and monitored access to it, to perform his development. This will give you better control over the security of the development process. But again this will require a higher level of maturity from your side in terms of security. You can even create a DevSecOps environment for them, I have written a nice blog post about how you can start one step by step.
Once the product is implemented in the test environment, you should perform a penetration test and a code review for it, and let me explain why.
First of all, a penetration test will let you check if your service provider has respected the security requirement you have defined in the first contract. Moreover, the effective penetration test will help you enhance the security of your website by identifying the vulnerabilities that weren’t specified in the contract for lack of knowledge or forgetness.
Code review will help you check for possible backdoors or secret features that may give attackers potential access to the system. Usually, developers may implement some security bypasses to help them during the debugging process. Unfortunately, those bypasses are forgotten while switching to a test or a production environment, which creates a sort of backdoor in your website.
Moreover, if your supplier was infiltrated and that you were targeted by a supply chain attack, performing a code review will help you identify the malicious codes before they get access to your customer’s data.
Having a good vulnerability management system is the basis of a cybersecurity program. Therefore, if your supplier takes security seriously they will have vulnerability management based on the best practices.
A vulnerability management system includes:
the vulnerability management here should deal with both the supplier network and the libraries or frameworks he is working with. vulnerabilities get discovered every day in those libraries, having this knowledge will help the supplier to work quickly to fix the vulnerability in his client’s apps before it gets exploited.
I think this is the most critical part of the supply chain, and unfortunately the most underestimated part. When the website is done and correctly working on your production server, this does not mean that you are done with it.
Most of the time after putting the website online, many bugs get discovered as many people start to use the app. Therefore, you will need to have continuous support from your supplier. This means a continuous patch deployment during the whole website lifecycle.
This process should be well documented and framed by a well-defined procedure. The patch should come from only the official supplier after a series of tests in the test environment.
In some cases when your supplier deploys a patch in the production environment, unexpected problems may happen. Therefore, having an effective rollback procedure and a well-made backup plan is necessary to keep your website live no matter what happens.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
Cyber attack Z. Oualid
Over the last few years when supply chain attacks have become the main type of attacks used by hackers to penetrate systems, I’ve got a lot of questions about it ...
Copyright © 2020 Getsecureworld.
Post comments (0)