How to Protect Against Software Supply Chain Attacks

What protections do you have in place to ensure that your software builds are virus-free before releasing to the public? With software supply chain attacks on the rise, it is more important than ever to ensure that your software build is not being used as an attack vector to infect your customers’ systems. If your company becomes the victim of such an attack, will your customers ever trust your software again? 

What are Software Supply Chain Attacks?

As an engineer, utilizing middleware libraries or third-party open source components has been part of my daily job. If code is already readily available, why reinvent the wheel? However, there is a downside to using third-party code. In software supply chain attacks, malware attackers utilize trusted vendors to deliver malware to unsuspecting customers by inserting malware into third-party code or build systems.

In 2017, Cisco detected a malicious backdoor in widely used security tool CCleaner, which infected 2.2 million worldwide customers. The attackers specifically targeted 18 companies and infected computers in order to conduct espionage on large enterprises including Samsung, Sony, Asus, Intel, VMWare and others.

The National Institute of Standards and Technology (NIST) states on their Software Supply Chain Attack information sheet, that “Software supply chain attacks are particularly bothersome and insidious because they violate the basic and assumed trust between software provider and consumer.” NIST also predicts that these attacks are only likely to grow due to insufficient protection of software development and distribution channels, combined with the fact that other cyberattack paths are becoming more difficult. According to NIST, seven of these types of attacks were reported in 2017, as opposed to four in the period from 2014-2016, indicating that these types of attack are on the rise. While seven attacks in 2017 does not sound like much, keep in mind that millions of customers can get infected from only one attack.

Multi-scanning as Part of Continuous Integration (CI)

Given the danger and rise in software supply chain attacks, it is more important than ever to implement security measures that prevent releasing software with a malware payload. If software vendors are not explicitly checking for malware in each build, they could unwittingly be infecting their customers and in the process cause irretrievable harm to the company’s reputation.

MetaDefender TeamCity Plugin

To help software publishers add multi-scanning as part of their continuous integration (CI), we are offering a free MetaDefender TeamCity plugin, which allows you to scan all of the binaries during the build step using multiple anti-malware engines. If you are not using TeamCity, you can use MetaDefender API to integrate with your software release management system.

Here’s how it works:/p>

Protect your reputation by checking your TeamCity builds for malware and false positive anti-virus alerts before releasing to the public using this plugin tool. You can scan your build with more than 30 anti-malware engines, not only to detect possible malware, but also to alert you if any anti-virus engines are incorrectly flagging your software or application as malicious, potentially causing harm to your reputation. 

Instructions for installing and using the MetaDefender TeamCity Plugin can be found here

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.