Tech supply chain: Hackers targeting tech supply chains are driving the rise of security startups

Cyberattacks on the digital supply chain have become increasingly common as hackers seek out weak links among manufacturers of computer code and equipment to breach tech-dependent organizations.

In 2020, for example, hackers suspected of working for Russian intelligence used fake updates from software maker SolarWinds Corp. to infiltrate nine US government agencies. Last year, hundreds of businesses were compromised by ransomware after another software vendor, Kaseya Ltd, was breached. And several months later, the discovery of a flaw in open-source software called Log4j was followed by attacks by hackers in China, Iran and the North. Korea.

Now, in response, a growing number of startups are emerging to tackle one of the industry’s toughest problems.

Global sales of technologies to secure the software development lifecycle totaled $3.7 billion last year and are expected to more than double to $9.2 billion in 2026, said Katie Norton, senior research analyst at IDC Corp. Palo Alto Networks Inc. and Tenable Holdings Inc. are among cybersecurity companies that made acquisitions in the space last year, and Microsoft Corp. and Alphabet Inc.’s Google have released tools to help prevent attacks on software development pipelines, she said.

“There are a lot of solutions and tools emerging,” Norton said. “The combination of birth and urgency is truly overwhelming.”

Feross Aboukhadijeh, a prolific open source developer, said he realized early in his career how shaky the foundations of modern software were. “It was mind-boggling to me that all these organizations were using my code – the code of a random twenties,” he said.

These concerns were heightened in 2018 after an open source code maintained by a friend was hacked. Later, Aboukhadijeh created an encrypted file-sharing program that was over 90% open-source code, and he realized he had no reliable way to scan for vulnerabilities.

“How could we know for sure that our application is secure if we didn’t even read the code? ” he said. “No one had a scalable solution to the problem.”

In 2020, he launched San Francisco-based Socket Inc., which reviews open-source software packages and flags potential dangers.

Another company trying to bring more accountability to open source software is Chainguard Inc., based in Kirkland, Washington, whose founders come from VMware Inc. and Google. Its technology creates a chain of custody, assessing the origin and reliability of the code.

“People don’t even know what they use and what they depend on in their systems,” said Kim Lewandowski, one of the founders.

An executive order that US President Joe Biden issued last year on cybersecurity has been a major catalyst for the industry, including a mandate requiring companies selling to federal agencies to provide a “software bill of materials” – the ingredients of their code, said computer security experts.

Supply chain attacks are on the rise in part because operating systems and web browsers — common targets for hackers — are now harder to hack, said Window Snyder, who has held executive positions at Microsoft. , Apple Inc. and Intel Corp. , a range of connected devices including baby monitors and smart doorbells, are proliferating with code that often suffers from basic vulnerabilities, creating openings in personal and corporate networks, she said. declared.

“We’re seeing a real shortage of security protections,” said Snyder, who in 2020 founded San Francisco-based Thistle Technologies Ltd., whose tools help device makers write and update their code in completely safe.

Technology has become so complex that many organizations don’t know all the software they use, let alone whether it’s secure, said Renaud Feil, founder of Paris-based Synacktiv, which was hired to hack products to help fix vulnerabilities.

“In some code we looked at, the company only writes 1% of the code base,” he said. “The rest is third-party software, framework, libraries.”

Firmware – code that controls a computer’s hardware – is another area where more attacks are detected. Earlier this year, an Iranian company called Amnpardaz Soft Corp. and Moscow-based Kaspersky separately released details of the new firmware implants they discovered.

Two companies are developing tools to detect firmware vulnerabilities, including Portland-based Eclypsium Inc. and Pasadena, Calif.-based Binarly Inc.. Cycuity, in San Jose, Calif., has created methods to inspect chip designs for security issues.

But technology alone can’t go that far in preventing attacks, said Justin Cappos, an associate professor of computer science and engineering at New York University. Organizations need to “holistically look” at how their technologies are built, starting with the software, he said.

“If you can make sure the right processes are followed,” he said, “you can nip a lot of these issues in the bud.”


About Author

Comments are closed.