A software supply chain attack is a cyber-attack that seeks to penetrate and/or damage an organization and its customers by targeting less-secure elements in its software supply chain, usually through a vulnerability, misconfiguration, or targeted attack against one of the suppliers’ products or services. The risks associated with a supply chain attack have never been higher, due to growing use and reliance on software, cloud services and applications.
The new wave of software supply chain attacks such as the attacks on SolarWinds, Codecov and Kaseya is taking the world by storm, costing companies tens of millions of dollars in damages; The attackers are taking advantage of the high complexity and low security within the modern software development process to expose and cause massive damage, not only to the attacked company but to their thousands of customers.
We talked with Eran Orzel, Argon Security Chief Revenue and Customer officer about this new attack vector and what do enterprises need to do to defend against such supply chain attacks.
What Is The Next Big Challenge In Information Security According To Argon?
“We need to make sure software supply chain security is top of mind for the CISOs and their security leaders.” Said Eran Orzel, “Attackers have found a weak link in the enterprises’ defense which provides them a way to distribute their attacks to thousands of us suspecting customers though software updates as happen in the SolarWinds attack. We need to prevent such supply chain attacks before the malicious code is distributed”
According to him, Argon’s solution provides companies with holistic software supply chain security that enables them to reduce the risk and damage from such attacks.
What Problem Is Argon Trying To Solve?
Over the past few years, companies have adopted continuous integration and delivery (CI/CD) processes to automate their software supply chain process. “In a survey done by Argon of over 200 global security leaders we saw that 90% of the organizations surveyed are relying on automated process using CI/CD tools. Based on these statistics, most organizations that develop software are a potential target for supply chain attacks. Without proper security over the software supply chain it is nearly impossible to identify and prevent such attacks before the damage is done.” Said Orzel.
How Is Argon Solving That Problem?
Argon provides holistic multi-layer security for the software supply chain, preventing supply chain attacks such as the attacks on SolarWinds and Codecov, and eliminating supply chain risks from misconfigurations, vulnerabilities, and dependencies.
Helping Customers Mitigate Supply Chain Risks
Using Argon’s solution proved to be very important to one of our customers during the Codecov attack. Argon’s solution monitors and analyze your pipeline tools and enforces security policies on the pipeline dependencies. In this case the Argon system notified the customer that the Codecov service that was connected to their CI Pipeline was compromised and was sending out system variables and passwords on every run to the attacker server. Thanks to Argon the customer was able to eliminate this active risk immediately
“Argon covers all stages of the software supply chain process from the minute the code is committed to the source code management system until it is deployed in production. The solution protects the software supply chain infrastructure, process, users, and code from supply chain attacks, including a patent-pending Integrity module that prevents source-code tampering or manipulation during the software development and release process. Such consolidated multi-layer coverage is not available in the market today under one solution.”
Where Do You See Your Company Going In 5 Years?
“As we see companies move to the cloud and relying more on DevOps processes to automate their software delivery, their risk from software supply chain is increasing. Argon’s mission is to continue and support our customers’ cloud journey and the DevOps revolution.”
We believe that the fast release of code should not come at the expense of security. Argon will continue to work with its customers to secure the new world of agile software development, enabling our customers to build, test and deploy software securely, ensuring trust in their software releases.”
What Is The Next Step?
Applying strong security measures over companies’ development pipelines has become a must to stop these sophisticated software supply chain attacks. This is not possible using existing point solutions with manual human intervention as some companies operate today. It takes a purpose-built security solution that is integrated as part of the software supply chain CI/CD process to achieve real protection on this new attack vector. We invite information security officers and AppSec teams to start discussing with us how to prevent supply chain risks.