By Dr. Marc Manzano and Ryan Hurst
Securing the software supply chain has become a top priority due to high-profile breaches and increasing regulatory scrutiny. Agencies like CISA, NIST, and guidance from the White House emphasize the urgent need to address how we inventory and manage the software and services we rely on. The complexity of modern software systems and the potential for widespread impact from a single compromised component drive this growing focus. Recent incidents, such as the SolarWinds breach, the Microsoft Exchange breach, and the Log4j vulnerability, have shown how interconnected systems can be exploited. The global outage related to CrowdStrike's software update shows how a single mistake can quickly cascade across the entire global economy. Regulatory bodies globally, including the European Union through the EU Cybersecurity Act, are actively working to mitigate the supply chain issues that enable these incidents.
"The only real mistake is the one from which we learn nothing." - John Powell
As security leaders, we can’t forget a critical part of the software supply chain: the cryptography these products use and how we manage these capabilities. Implementing comprehensive standards for cryptography usage, key management, and continuous monitoring can help effectively tackle these challenges.
Modern software relies on numerous third-party libraries, open-source components, and numerous dependencies. This interconnectedness can hide vulnerabilities and create security blind spots, which is also true for the cryptography these components use. According to the Verizon Data Breach Investigations Report (DBIR), leaked credentials—often synonymous with leaked cryptographic keys—are among the most common attack vectors. These machine and workload keys, if compromised due to inadequate key management practices, can grant attackers unauthorized access to sensitive systems and data.
The lack of automated tooling to efficiently manage the myriad of software components often leaves organizations unaware of the deep security risks associated with their software dependencies. Outdated or insecure libraries, such as those using broken cryptographic algorithms or outdated protocol versions, may be integrated into critical systems. This makes it difficult to fully understand and address the risks posed by poor cryptographic practices in your software supply chains and deployments.
"Plans are nothing; planning is everything." - Dwight D. Eisenhower
Ensuring that third-party vendors adhere to modern cryptography management practices is essential for mitigating these risks. Widespread usage of weak cryptography can potentially expose the entire supply chain to catastrophic vulnerabilities. The Heartbleed bug in OpenSSL, used by many third-party providers, exposed millions of systems to data breaches, underscoring the need for cryptographic standards and monitoring for them in your supply chain. The Debian OpenSSL bug, where a change in the code led to predictable keys, affecting millions of SSL/TLS keys, highlighted how It is critical to ensure robust and secure implementations. Additionally, regulatory requirements such as HIPAA mandate the encryption of ePHI, with non-compliance leading to significant fines, as seen in the $16 million Anthem Inc. settlement. This highlights the critical need for robust cryptographic management to avoid legal repercussions and ensure compliance.
Ensuring compliance with good cryptographic management practices, robust key management, and comprehensive reporting are the first line of defense. Regular audits, integrated into procurement processes, help maintain up-to-date and effective cryptographic practices. Continuous scanning and threat intelligence feeds keep organizations ahead of emerging threats. Organizations must also stay informed about changes in industry standards and update their practices accordingly to ensure ongoing compliance. Recognizing the importance of these practices, the White House’s Executive Order on Improving the Nation’s Cybersecurity has mandated the discovery and inventory of cryptographic keys to bolster software supply chain security.
Operational Continuity is another critical aspect of securing the software supply chain. Disruptions caused by outdated certificates, cryptographic migration issues, or attacks significantly impact business operations. For example, the Microsoft Teams outage in 2020, caused by an expired certificate, demonstrated how failures in certificate management can take down business critical services. This incident highlighted the importance of maintaining robust cryptographic management practices to ensure operational resilience and reduce the risk of business disruptions.
Additionally, regulatory requirements such as the EU Cybersecurity Act and the US SEC’s 72-hour breach notice mandate organizations to promptly report and address security incidents, highlighting the need for robust cryptographic management to avoid legal repercussions and ensure compliance.
"By failing to prepare, you are preparing to fail." - Benjamin Franklin
Supply chains often involve the exchange of sensitive data and proprietary information between partners. Without modern cryptography management measures in place, it is challenging to reduce exposure to cryptographic vulnerabilities or to provide evidence for compliance within cryptography-related guidelines. The Codecov attack in 2021, where attackers manipulated scripts to exfiltrate sensitive data, highlights the necessity of secure cryptographic practices to protect intellectual property and maintain data integrity. This breach demonstrated how vulnerabilities in the supply chain could be exploited to access and steal valuable information, emphasizing the criticality of having robust cryptographic measures in place.
Implementing automated key rotation and revocation processes is essential to reduce the risk of key compromise. However, focusing on last-mile key management is equally important. This means ensuring secure key distribution and usage at the endpoint, where credentials and keys are often most vulnerable. Many organizations fall short by focusing solely on "secret sprawl"—centralizing keys and credentials but then distributing them across deployments without proper controls. This narrow focus leads to "secret spray," increasing the risk of key leakage and unauthorized access. A stark example of the consequences of inadequate last-mile key management is the Storm-0558 incident, where Chinese hackers were able to forge authentication tokens by exploiting poorly managed cryptographic keys. This breach highlighted how failures in endpoint key management can lead to significant security incidents, emphasizing the need for robust last-mile key management to close the loop on end-to-end security.
Employing tools that provide real-time monitoring and alerting for cryptographic missteps and policy violations is crucial. Advanced monitoring solutions can detect anomalies and potential breaches in real-time, allowing for swift and effective responses. Integrating cryptographic management with deployment pipelines helps ensure that any issues are identified and addressed promptly.
Requiring vendors to maintain and regularly update Software Bills of Materials (SBOMs) helps ensure transparency of all components. SBOMs provide a detailed inventory of all software components. However, they do not capture the cryptography they use, making it hard to identify and address cryptographic vulnerabilities when they become known. This is where discovery tools come into play. They help you hold vendors accountable for their security promises, discover how they use cryptography, and how you use the cryptographic capabilities of their products.
Integrating robust cryptographic management into the core processes of software development and operations is crucial for addressing these challenges. A unified cryptography management platform ensures all software components adhere to stringent cryptographic standards. This platform should automate key management, monitor cryptographic activities, and ensure compliance with industry standards and regulatory bodies.
AQtive Guard, our unified cryptography management platform, simplifies the management of cryptographic operations, reducing the burden on security teams and ensuring consistent application of security practices. By centralizing cryptographic management, organizations can gain full visibility, control, and monitoring of cryptographic assets, improving overall security posture, minimizing the risk of hidden vulnerabilities. Moreover, deploying modern cryptographic management tooling frees up security teams to focus on more strategic initiatives, improving efficiency and resource allocation. This approach allows security teams to focus on proactive measures, continuous improvement, and addressing new threats rather than full time reactive firefighting. Finally, ensuring that all cryptographic operations meet or exceed industry standards simplifies compliance. Adhering to these standards and best practices reduces the risk of regulatory fines and enhances customer trust by demonstrating a commitment to security.
Securing the software supply chain demands a proactive approach to cryptographic management. Organizations should adhere to comprehensive standards and implement robust key management practices. Maintaining detailed usage inventories, continuous monitoring, and thorough reporting are also essential.
Integrating a unified cryptography management platform like AQtive Guard further enhances security and operational efficiency, providing a strong defense against evolving threats. AQtive Guard not only automates and centralizes cryptographic practices but also simplifies security audits, turning security from a reactive process into proactive risk management activity.
To safeguard your organization and maintain stakeholder trust, start by conducting a comprehensive audit of your current cryptographic practices. Implement automated key rotation, and integrate real-time monitoring tools. Investing in robust cryptographic management is not just about compliance; it’s about building a resilient security posture that can withstand the complexities of modern software development and supply chain interactions.
