Software supply chain hacks escalated from mere rumours to making big headlines in the last couple of years. Recent incidents involving prominent organisations like Singapore Airlines, Singtel, Singapore’s National Trade Union Congress (NTUC), Microsoft, SolarWinds and Asus have highlighted the severity of the issue.
In Asia Pacific, more than 50% of companies have been negatively impacted by between two to five cybersecurity breaches in their supply chain. Despite the large number of attacks, only 38% of firms consider software supply chain risk a key priority.
The role of venture capital in fueling Southeast Asia’s startup and SME growth
By 2025, an alarming 45% of companies worldwide will experience attacks on their software supply chains, according to a recent Gartner report. In fact, another industry report has revealed a huge 742% increase in software supply chain attacks over the past three years. No one is immune.
An evolving epidemic
Software supply chain attacks come in multiple flavours, posing a significant challenge. Malicious actors continuously adapt, manifesting in different forms, such as code signing key theft, malware insertion into software products, and the incorporation of infected third-party software.
Even though attack techniques vary, their impact on the business attack does not. This impact can include loss of customer trust, reputation, revenue and/or leakage of confidential customer or corporate data. For example, the Singapore Airlines hack exposed 580,000 frequent flyer members, while SolarWinds’s malicious software infected tens of thousands of unsuspecting businesses and government agencies, including 425 of the US Fortune 500 companies, each of the top ten US telecommunication companies, and Microsoft itself.
Doctor’s prescriptions for protection
Similar to the approach taken during the COVID-19 pandemic, where multiple tools, treatments, and preventative measures were employed, organisations need to take a proactive and multi-layered approach to safeguard against software supply chain attacks and maintain customer trust.
Key prescriptions for protection include implementing robust security practices, conducting thorough risk assessments, establishing partnerships with trusted vendors, monitoring the supply chain for vulnerabilities, and ensuring regular software updates and patching.
A recommended solution involves adopting centralised and secure code signing management across the entire enterprise, regardless of where the software team is located, what programming language or platform the team uses or the type of software that the team develops (cloud-native, embedded device, mobile apps, etc.).
When one signs a piece of software, an assumption is made that the software being signed is free from bugs, malware and other vulnerabilities. But that hasn’t always been the case – SolarWinds’ software was signed with hidden malware and sold as legitimate software to more than 33,000 customers. Only later, it became the largest software supply chain attack in history.
To avoid signing in the blind, software threat detection must be integrated into an organisation’s security workflows. It needs to be easily accessible for a variety of different software teams developing a wide range of software application types and should not impact software team productivity (like slowing down CI/CD pipelines).
Additionally, security teams should have a single environment to work within to prescribe enterprise-wide security policies such as code signing process policy, policy for requiring deep binary scans for threats and vulnerabilities, and the creation of comprehensive Software Bill of Materials (SBOMs) to satisfy emerging regulatory requirements.
Finally, working with a single vendor providing both networking and security capabilities, offers advantages like reduced security gaps, improved network performance, ease of deployment, and effective integration and scalability.
In addition to organizations taking a proactive approach to protecting the software supply chain, the role of industry players and regulatory bodies is crucial.
One of the latest industry developments to prevent such attacks is DigiCert’s partnership with ReversingLabs, a leader in software supply chain security. This partnership enhances software security by combining advanced binary analysis and threat detection from ReversingLabs with DigiCert’s enterprise-grade secure code signing solution.
Such industry advancements, together with government initiatives like Cyber Security Agency Singapore’s supply chain guidelines, are key to combating this looming epidemic.
The article titled “Software supply chain attacks on the rise in APAC: Unmasking the looming epidemic and prescriptions for protection” was authored by Armando Dacal, Group Vice President, APJ for DigiCert
About the author
Armando Dacal is Group Vice President, APJ for DigiCert. In this role, Armando is responsible for driving DigiCert’s profile across APJ and contributing his insights to the cybersecurity industry throughout the region. Prior to joining DigiCert, Armando held several Asia Pacific leadership roles at Tanium and Palo Alto Networks.
Armando brings more than 22 years of experience in the cyber security space, leading high-performing customer- and partner-facing organisations for successful technology vendors. He has a strong track record of leading successful commercial and operational teams around the globe.
Prior to this, Armando held a number of senior leadership roles across cybersecurity vendors including Symantec, VeriSign, and Melbourne IT.
Armando holds a BA degree in International Economics from San Diego State University, he also serves to promote and foster American and Australian business relationships in his role as Governor for the American Chamber of Commerce in Australia.