OASIS launches initiative to standardize software supply chain information models

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: OASIS Open is launching an initiative to standardize software supply chain information models. Also: Concerns for Microsoft are rising due to a string of recent incidents and increasing scrutiny from the federal government.

This Week’s Top Story

OASIS launches initiative to standardize software supply chain information models

Members of OASIS Open, the global open source and standards organization, have formed the Open Supply Chain Information Modeling (OSIM) Technical Committee (TC) to standardize and promote information models crucial to software supply chain security. The aim of OSIM is to build a framework that rests atop existing SBOM (Software Bill of Materials) models, such as CycloneDX and SPDX. This framework would not replace them, and it would instead bring clarity to software supply chain security stakeholders. These information models would aid the mitigation of vulnerabilities and disruptions, reduce security risks, and make it easier for companies to plan for needed upgrades and contingencies. 

This initiative is supported by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), which believes it will facilitate the automation of implementing the basic blocks of software security (SBOM, Vulnerability Exploitability eXchange, Common Security Advisory Framework), in turn making the implementation easier and cheaper. Across the board – implementation of the information models will enhance security in end-to-end operations, bring greater transparency, and better interoperability – resulting in better risk management and protection. 

CISA’s Allan Friedman, PhD , a Senior Technical Advisor and SBOM evangelist, shared that “CISA is excited to be a part of this technical effort to bring greater visibility to the software supply chain.”  

By creating a framework for SBOM informational models, there will be readability of an SBOM on all ends, no matter what kind of industry approved formats are being used across parties. The goal of the OSIM TC is for these information models to break down current silos in the cybersecurity world, driving software supply chain security forward. 

It’s still unknown as to when this initiative will be released. In the meantime, the OSIM TC welcomes a diverse range of contributions from the community, and participation is open for all. (OASIS Open)

This Week’s Headlines

The software licensing disease infecting our nation's cybersecurity

The U.S. House Committee on Homeland Security, CISA, and the Cybersecurity Review Board (CSRB) have spent considerable time and resources trying to understand and address Microsoft’s numerous vulnerabilities and breaches. However, this article argues that these agencies may have missed the fundamental cause of such issues: a lapse in market and competition policy that has allowed Microsoft to dominate the cybersecurity market. Microsoft’s domination causes companies and people to be stuck with insecure technology, making Microsoft services a favored target for criminals. A software monoculture creates a simple attack surface for threat actors to focus on raising the probability of actors finding and exploiting a weakness. (Dark Reading)

G7 countries vow to establish collective cybersecurity framework for operational tech 

U.S. National Security Advisor Jake Sullivian said in a statement last week that G7 leaders have “committed to taking critical action to strengthen the cybersecurity of the global supply chain of key technologies used to manage and operate electricity, oil, and natural gas systems across the world.” Such critical action contains “a collective cybersecurity framework for operational technologies for both manufacturers and operators.” Attacks on energy companies — like the ransomware attack on Colonial Pipeline in the U.S., in addition to a variety of incidents involving energy companies in Europe — have continued to roil governments around the world and prompt regulations. (The Record)

CDK Global cyberattack impacts thousands of U.S. car dealerships

CDK Global, a leading SaaS provider for car dealerships in North America, experienced a significant cyberattack that shutdown its systems. The incident, which occurred just a few days ago, left thousands of clients unable to conduct normal business operations. CDK's platform, which supports over 15,000 car dealerships, handles critical functions such as customer relationship management, financing, payroll, service, inventory, and back-office tasks. Due to the constant connection through an always-on VPN, there are concerns that attackers might exploit this to infiltrate the internal networks of the affected dealerships. 

The company has not disclosed when their services will be restored, leaving dealerships in the dark until then. CDK has also provided limited information about the incident, confirming only that it was a "cyber incident.” This attack on CDK Global strongly demonstrates how integral commercial software products are to a number of industries, in addition to how detrimental an attack on SaaS products can be. (Bleeping Computer)

Lack of visibility into APIs leaves blind spots, says new study

Salt Security’s 2024 State of API Security Report emphasizes the critical risks enterprises face due to inadequate visibility and management of APIs. Key findings reveal that 29% of respondents indicated their companies do not properly document API requirements, and 25% believe their APIs lack sufficient security documentation. This lack of comprehensive visibility into the entire API ecosystem creates significant security blind spots, hindering the identification and mitigation of vulnerabilities. Consequently, 23% of respondents reported experiencing a data breach due to vulnerabilities in production APIs, while 38% noted some data exposure from API breaches. The study highlights how the rapid increase in API usage has expanded the attack surface for malicious actors, and suggests an urgent need for a strategic shift in order to better developer and API security. (SC Media)

Rising exploitation in enterprise software: Key trends for CISOs

Researchers from Action1 found a notable increase in the total number of vulnerabilities across all kinds of enterprise software. macOS and iOS showed an increased exploitation rate of 7% and 8%, respectively, and although macOS reduced its total vulnerability count by 29% from 2023 to 2022, exploited vulnerabilities increased over 30%. In 2023, Microsoft’s SQL Server (MSSQL) experienced a 1600% surge in critical vulnerabilities, each being a remote code execution (RCE). The exploitation rate of Microsoft's vulnerabilities has more than tripled also, climbing from 2% in 2022 to 7% in 2023, underscoring the growing threat landscape.

Additionally, there has been a concerning uptick in RCEs and overall exploited vulnerabilities, emphasizing the need for robust edge security and prompt patching of both operating systems and third-party applications. Given delays in updates from the U.S. National Vulnerability Database (NVD), organizations are encouraged to adopt alternative approaches to stay ahead of potential exploits. (Help Net Security) 

Six ways software development platforms can reduce developer burnout

This article breaks down six key strategies that software development platforms can implement to mitigate developer burnout. Overall, the primary message is that selecting an appropriate software development platform can significantly reduce the barriers, delays, and complexities that contribute to developer burnout. The platform should inherently support high performance, security, advanced tooling, scalability, and future-proofing capabilities. By addressing these areas, a software development platform can help create a more efficient and less stressful environment for developers, ultimately reducing the risk of burnout. (DevOps)

Runtime enforcement: Software security after the supply chain ends

Though cybersecurity is making large strides in securing its cyber-ecosystem, especially in terms of shoring up the software supply chain (open source, commercial software, etc.), the defense is hardly over. Software supply chain security is akin to perimeter security: it stops threat actors from getting in, but once they’re in… it fails. Runtime security mitigates this limitation, acting as a guard detail, focused on protecting the software from interference in the cloud-native world during production and continuing during and beyond delivery. However, such guard teams are expensive and clunky causing many companies to decide not to use them. Thus, to continue to make strides in cybersecurity – attention must be spent on revolutionizing these guard teams. (Security Boulevard)

Resource Roundup

Webinar I Managing Your Commercial Software Risks

Discover the hidden dangers lurking in commercial software and learn how to effectively identify and mitigate them in this webinar, happening live on June 25th from 1pm-2pm ET. It will delve into the shortcomings of current risk assessment methods and explore essential strategies for safeguarding your business against malware and other threats within your software supply chain. [Register Here]

White Paper I Assess & Manage Commercial Software Risk

In this white paper, learn how new regulations are targeting software supply chain security, why SBOMs and other solutions fall short of full coverage, how to identify risks before deployment, and how to ensure the ongoing tracking and monitoring of commercial software. Know when your software is malware. [Download Now]

Webinar I Assess Third-Party Software Without the Need for Source Code

In this episode of the Spectra Assure Product Spotlight Series live on June 27th 12pm-1pm ET,  we will go into detail on how RL Spectra Assure overcomes the limitations of traditional vendor risk assessments by deconstructing commercial applications at the binary level, exposing software supply chain threats like malware, tampering, exposed secrets and more - all without requiring source code. [Register Here]

White Paper I Third-Party Software: Derisking Mergers & Acquisitions

In this white paper, you will learn how to comprehensively manage software supply chain risk in a step-by-step process during a merger and acquisition. This is a needed skill in today’s world where software runs everything — including the company you want to buy. Any merger or acquisition for your company will mean inheriting a new software stack – intended or not. Learn how to manage the potential risk. [Download Now]