Rob Deane
Associate Managing Director
Cyber Risk
New York
Software Supply Chain Security Services
Leverage unique DevSecOps, offensive security and incident response expertise to evaluate and harden your software supply chain security risks. Merging software development and advanced security testing techniques, our assessment identifies malicious code and vulnerabilities that may lead to a cyber incident.
Talk to a Cyber ExpertOver the past 20 years, there has been one consistent security threat that keeps CISOs up at night: supply chain risk. With limited control or governance over their vendors’ ecosystems, managing the potential exposure and risk they present is a difficult task with significant consequences, if ignored.
Increasingly, supply chains are reported as a target for threat actors and a source of system compromise. A secure software supply chain requires meeting the following two objectives:
- The software is free from vulnerabilities
- The software is free from malicious code (malware)
The State of Software Supply Chain Security
Software supply chain attacks are hitting the bottom line
62% of CFOs cited attacks arising from venders as the top cause of significant cyber incidents
Approximately 70% of Applications Contain Flaws in Third-Party Code
In addition to software supply chains containing malicious code, they also face a growing number of software vulnerabilities
SBOMs Are Soon to Become More Commonplace
By 2026, 60% of organizations are expected to demand a software bill of materials (SBOM) to enhance transparency and security
1300% Increase in Threats via Open Source Software (OSS) Package Repositories
Over 11,000 malicious packages have been discovered on popular repositories like npm, PyPI, and RubyGem
Notable Software Supply Chain Incidents
MoveIt
Kroll received multiple reports that a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability would also enable a threat actor to move laterally to other areas of the network.
The file transfer app is used by thousands of organizations around the world, making this a significant Software Supply Chain cyber incident. A number of those organizations have suffered a data breach as a result of the vulnerability, with customer and / or employee data being stolen.
Log4j
Kroll alerted clients to the Log4j vulnerability and proceeded to work with several impacted customers. Our Kroll Responder team also refined telemetry searches to identify potentially impacted instances of Log4j in association with external connections to identify applications and hosts that need the most urgent attention.
Log4shell was a vulnerability in the logging tool Log4j, which was used by millions of computers running online services globally. The software supply chain attack impacted governments, organizations and individuals.
Software Supply Chain Security is Becoming a Blackhole of Risk
Seventy-two percent of organizations consider software supply chain security to be their biggest blind spot and this is no surprise given the number of vulnerabilities being discovered daily and the sheer amount of code embedded throughout the software supply chain which could be compromised.
As supply chains grow in complexity, the risk that different code sources present increases. In general, there are three types of code sources where vulnerabilities could lie, or malicious code could be introduced:
Third-Party Code – Code That You License or Acquire
-
Software dependencies (libraries, frameworks, and packages)
-
Operating systems and installed software
-
Container images
-
Runtime and orchestration environments
-
Cloud services
First-Party Code – Code That You Own And Write
- Proprietary software
- Infrastructure-as-code
Development Platform Tools – Managing and Delivering Code
- Source code management
- Dependency management
- CI/CD
How do Software Supply Chains Become a Risk?
- Developer produces vulnerable code
- Malicious actor backdoors software
- Upstream supplier outage or system failure causes downstream disruptions
- Unauthorized, unreviewed and untested changes, resulting in new vulnerabilities and unstable systems
- Service provider system compromise resulting in a data breach
Our Approach to Securing the Software Supply Chain
Kroll can help your business identify potential gaps, weaknesses and vulnerabilities in the software supply chain, give visibility into your third-party dependencies and identify misconfigurations that can lead to supply chain compromise. For clients, we undertake two clear processes in our approach to securing the software supply chain.
- Operational Review and Report
The operational review maps the technology stack used to support applications adopted across the organization against the adopted capabilities (i.e., processes, practices and technologies) that support the organization's ability to obtain and maintain visibility about threats and vulnerabilities. The accompanying report will contain a matrix depicting the current state and gaps for controls and capabilities that prevent, identify and detect software supply chain security issues. This report will also contain recommendations for improvements and to fill gaps identified.
- Technical Review and Report
The technical review encompasses a configuration review of platforms used to support development (e.g. source code management, CI/CD) and a point-in-time software review to identify known vulnerable or malicious packages. The accompanying report will contain the detailed findings from the configuration review(s) and dependency scans.
Include Software Supply Chain Security Assessments in Your Cyber Risk Retainer
Our software supply chain security assessments can be delivered as part of Kroll’s ultra-flexible cyber risk retainer, along with a variety of security advisory services such as Virtual CISO (vCISO) Advisory Services, Cybersecurity Due Diligence for M&A and Application Security Services. In addition to bringing solutions together in one flexible package, the retainer allows clients to gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.
Why Kroll ?
100,000+
Hours Of Offensive Security Work Per Year
3,000+
Incident Response Cases Per Year
100+
Cybersecurity Certifications
Talk to a Kroll Expert
Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page.
Virtual CISO (vCISO) Advisory Services
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Application Security Services
Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.
Cybersecurity Due Diligence for M&A
Pre and Post-transaction assessment can uncover costly risks.
AI Security Testing Services
AI is a rapidly evolving field and Kroll is focused on advancing the AI security testing approach for large language models (LLM) and, more broadly, AI and ML.
Cloud Security Services
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
Cloud Penetration Testing Services
Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Microsoft 365 Security Assessment
Fortify your defenses and maximize your technology investment with a Microsoft 365 security assessment from Kroll.
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.