Supply chain is a term you hear bantered about in the cyber security realm. Long before it became the talk of the town in cyber, it was front page news with the advent of just in time shipping. While that revolutionized manufacturing, we quickly found out that it came with some drawbacks. While it reduced the amount of inventory you had to carry both in the warehouse and on books, you also had to hope that what you got was just what you ordered. As soon as those parts were delivered, they were put into the assembly line process and product went out the door to be quickly delivered to expectant customers. This forces an implied trust in your suppliers that what they deliver is exactly what you ordered and has been thoroughly tested to ensure quality.

Often, when people think of supply chain as it relates to cyber, they think of services that integrate into your business processes, things like inventory control, order processing, travel, HR, etc. Just like in physical goods manufacturing, these services come with great benefit, often reducing cost and improving efficiency. However, just like their physical counterparts, these also come with risk. Many of the largest cyber breaches publicly reported have originated through supply chain compromise. While your company may have tightened security as much as possible, the same cannot always be said for all vendors and subcontractors. Let us not forget that one of the biggest cyber security weaknesses is the human in the loop. It often takes just a single person to miss a key indicator and next thing you know, if you’re lucky and detect it quickly, you are now in the middle of a remediation effort and if not, a PR, legal, and financial nightmare. Advanced cyber actors not only pivot throughout the victim’s infrastructure, they also pivot into any other places that connectivity takes them, such as a key customer’s network. When you are a large company with many vendors connecting into your infrastructure, the human in the loop attack surface grows exponentially.

The early days of software were just like those of manufacturing. Although applications might have included compiler libraries, most of the codebase was home grown and locally tested. Over time, the use of third-party libraries and APIs became more common. This enabled companies to focus on their core business models and not have to worry about all the underlying code and infrastructure necessary to support it. This, too, provided a great cost saving but was not without risk. Again, you are forced to trust the underlying functionality to do what it said it does and for updates to not introduce regressions. In this case, the source code was typically contained within the vendor’s infrastructure so unless they were compromised or had a malicious insider, short of a coding error things were generally safe.

We are now in the age of open-source software projects. Outside of core business logic, and even that in some cases, almost all functionality you need is available for download. A quick read through the readme.md or an internet search for a quick tutorial and you’re on your way to using someone else’s code. While it would be best to fully understand the full capabilities and implications of the complete package you downloaded, tight schedules and understaffed development teams often do not allow for that. The use of AI and coding agents makes this even easier, no research required, just a well formatted prompt will generate the code you need. (This in and of itself is the subject for another day.)

From a security perspective, there was a good probability that EDR/XDR solutions could catch malicious software supply chain code attacks. Over the past several years, we have seen a shift from applications running locally to running in the cloud. This movement to the cloud has forced a shift to applications running in the browser. As we have discussed in prior blogs, the browser is a blind spot in many security stacks. To make things worse, even if you happen to be running a MiTM decryption solution, most of the obfuscated JavaScript code will remain undetected.

“That’s OK”, you say, “we trust our online vendors to do their due diligence and ensure their applications are secure”. This is true, they will do their best but sometimes things happen. Let’s assume for a minute that’s 100% true and all your online vendors have secured their apps. Do your users ever use their corporate laptop to browse the web? Odds are that many of those site owners are not nearly as diligent or contain the technological savvy to detect malicious code. Some try their best by ensuring that their code is always up to date — well, that’s what threat actors rely on, users pulling the latest code from places like GitHub and npm repositories. Just to make matters worse, threat actors will also use typosquatting for new repository creation. Just like in spoofing a well-known domain in hopes that an unsuspecting user doesn’t catch it, they will do the same with repository library names and these repositories will support all the functionality that the legitimate repo does with the added hidden surprise of the malicious code. This means that the website developer will not realize they have the wrong repo, the code works just as it should.

Do you have software developers in your network? Or employees who like to dabble in code creation on their corporate laptops in their free time? If so, odds are they’re pulling code from somewhere. The list goes on and on — browsers and browser-based attacks are the new cyber minefield. You know the threats are out there somewhere, but you can’t see them and by the time you do, it’s often too late. It gets worse, it’s not a static minefield, the mines move dynamically so what you knew yesterday no longer applies today.

You need a security solution that is going to safely get you through this minefield unscathed. That protects you at every step, no matter the direction you take. A solution that looks at the complete picture of content in context, not just relying on code analysis or and IOCs but one that is continuously monitoring and evolving to stay a step ahead.

Conceal sees what other solutions cannot. Our zero-trust browser native SSE will help your users safely avoid the dark alleys of internet. Regardless of the starting point or where the trip ends, be it a remote destination on the internet, a trusted cloud provider, or somewhere within your corporate infrastructure, we will be with you every step of the way without the need for a VPN, proxy, or MiTM solution.