_Science_Photo_Library_Alamyo.jpg?disable=upscale&width=1200&height=630&fit=crop)
November 22, 2024 at 12:39PM
In June 2017, A.P. Møller – Maersk suffered a severe software attack, attributed to the NotPetya malware from a Ukraine-Russia conflict, causing $10 billion in damages. CISA’s recent Secure by Demand guidance urges buyers to ensure software safety through independent validation and comprehensive analysis, beyond just questionnaires and SBOMs.
### Meeting Takeaways
1. **NotPetya Cyberattack Overview**:
– A.P. Møller – Maersk experienced a severe software infection in June 2017, impacting nearly 20% of the global shipping capacity.
– The NotPetya attack, initially aimed at a Ukrainian software company, resulted in $10 billion in global economic damages, marking it as the costliest cyber event to date.
2. **Shift Towards Software Supply Chain Security**:
– Since NotPetya, software supply chain attacks have become more prominent, with notable incidents including SolarWinds and 3CX.
– Verizon’s 2024 Data Breach Investigations Report indicates a 68% increase in breaches from third-party software developers compared to 2023.
3. **CISA’s Secure by Design and Secure by Demand Initiatives**:
– In 2023, CISA released Secure by Design guidance urging software producers to enhance security features.
– The 2024 Secure by Demand guidance encourages enterprise buyers to require safer commercial software products from suppliers.
4. **Focus Areas for Software Assurance**:
– Secure by Demand emphasizes key software assurance areas: secure development, vulnerability tracking, authentication, logging, and software transparency.
– Enterprise consumers are encouraged to engage with vendors about these areas during procurement.
5. **Limitations of Questionnaires and SBOMs**:
– Reliance on vendor questionnaires and SBOMs (Software Bills of Materials) is insufficient for real software assurance.
– Major risks remain unaddressed, as exemplified by the NotPetya attack, which would not have been mitigated by existing questionnaires or SBOMs.
6. **Extended View of Supply Chain Risks**:
– Cybercriminals increasingly target commercial software through sophisticated means, including compromising build pipelines and exploiting application code.
– Major software supply chain attacks have focused on commercial software rather than just open-source components.
7. **Recommendations for Enterprise Buyers**:
– Buyers should independently validate the security of their software instead of relying solely on vendor assertions.
– Employing robust software supply chain security solutions can aid in comprehensive analysis and risk assessment.
– Proactive measures, including testing software for malicious components and vulnerabilities, are crucial for safeguarding organizations.
8. **Conclusion**:
– To effectively manage software supply chain risks, enterprise consumers must adopt a culture of verification, ensuring robust controls over their software supply chains amidst rising cyber threats.