Shift Left in SDLC: Mitigating Software Supply Chain Attacks for Insurance Carriers 

The spate of attacks conducted by exploiting the vulnerability of the MOVEit transfer platform is a stark reminder of the risks that the software supply chain (SSC) may pose in the interconnected and evolving digital landscape. According to the Kon Briefing, 2611 organizations, including insurance companies, and 85 million individuals have been affected by MOVEit attacks by December 20, 2023. Software vendors play a crucial role in mitigating the risks associated with the software supply chain. In this blog post, we will explore the importance of SSC security, the impacts of SSC attacks on the insurance industry, and the necessity of secure software development to mitigate SSC risks.  

The Need for Software Supply Chain Security

As insurers have been stepping up their security measures to protect clients’ data, cyber-criminals have turned their focus toward software vendors and various service providers. They exploit vulnerabilities in the software vendor’s network and system and compromise the software before it is shipped to customers. When the infected software is passed to customers, attackers gain access to the victims’ networks and perform malicious activities such as data and financial theft, network monitoring, demanding ransom, and disabling systems.  

Today, software supply chains are particularly vulnerable due to the heavy reliance on off-the-shelf components in application development. Intrusion through any one of the components may cause severe ramifications not only for the directly affected customers but also for the stakeholders and businesses with which the customers are interconnected. In response to the growing threat landscape, regulations are evolving to include more stringent requirements for software supply chain security. For example, US President Joe Biden issued in 2021 an Executive Order on Improving  Nation’s Cybersecurity, and the EU has proposed similar measures. The growing public awareness of threats and regulatory oversight, however, motivates attackers to invest more resources into developing deadly storm-creating techniques. 

Attacks Targeting Software Supply Chain

To fully comprehend the nature of supply chain attacks, it is essential to understand the landscape of modern application development and the associated vulnerabilities. Today’s software development involves multiple processes, tools, libraries, and people for designing, developing, deploying, and maintaining software. By compromising any one of these components or individuals, attackers may achieve their goals. 

Attackers use diverse techniques and tactics to infiltrate software supply chains such as:  

• Stealing credentials: Cybercriminals can access the DevOps pipeline or resources and perform nefarious activities such as stealing data, manipulating code, or deploying malicious updates using stolen account credentials.  

• Hijacking updates: Threat actors can infiltrate a vendor’s network or cloud server to insert malware into an outgoing update or change it to give themselves control over the software. 

• Undermining code signing: Attackers can undermine codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. By breaking the code signing process, threat actors can successfully hijack software updates by impersonating a trusted vendor and inserting malicious code into the updates. 

• Targeting open-source components, and dependencies. Cybercriminals can tamper with open-source repositories, resulting in the upload of malicious updates or packages. A single vulnerable package uploaded into a popular open-source repository can cascade widespread vulnerabilities, affecting countless applications and systems. 

• Compromising CI/CD pipelines: Attackers can infiltrate the CI/CD pipelines and introduce malware into the development automation infrastructure, such as by cloning legitimate GitHub repositories.

• Typosquatting: Threat actors can upload malicious packages with small spelling mistakes to open-source code repositories to impersonate popular packages. In this way, malicious packages could be downloaded by deceived developers.

• Insider threats: Attackers can utilize employees or developers of the software vendor to achieve their goals. Developers or employees convinced by a phishing email can share their login credentials, allowing attackers to impersonate them and access the DevOps pipeline.  

Impact of Supply Chains Attacks on Insurance Company 

The consequences of compromised software supply chains can be far-reaching and severe for the insurance industry. A successful supply chain attack on a carrier can result in a severe data breach that exposes policyholder information, leading to serious financial ramifications for the carrier. This may include revenue losses, lawsuits, and regulatory fines as well as damage to their reputation. Additionally, there is an increased likelihood of widespread disruptions due to the industry’s deep connection to other financial institutions and health networks. The exploitation of the MOVEit file transfer platform by the CL0p Ransomware Gang is a prime example of the damaging consequences of supply chain attacks.

MOVEit is a popular file transfer platform developed by Progress Software, used by Pension Benefit Information, LLC (PBI), a dominant player in the death audit services market. It assists companies in determining whether insurance policyholders, annuity contract owners, investors, and retirement plan participants are still alive. Several major life insurance companies including Sun Life Financial Inc., Prudential Financial, New York Life Insurance Company, Genworth Financial, and Delta Dental of California were affected by the MOVEit file transfer cyberattacks even though they were not the direct customers of Progress Software. These insurance companies only shared their clients’ data with PBI for their business purposes and a substantial number of their clients’ personal identifiable information (PII) was compromised. Later, in a press release, CLOp stated that they posted all the records that they hacked by exploiting MOVEit on the web which means anyone with the right skills can access PIIs and use them for malicious purposes. 

Challenges to Mitigate Software Supply Chain Risks

Like any other organization, insurers struggle to mitigate supply chain attacks because they lack control over suppliers, lack visibility, and have a poor understanding of what to ask their suppliers to do. However, they need to understand the risks associated with the supply chain to maintain security and resilience. In many cases, insurers trust their software vendors and third-party service providers and may not consider checking vulnerabilities in their purchased software or services. Moreover, their lack of control over the vendors’ DevOps pipelines makes them incapable of taking measures. For example, if the supplier does not follow secure software development practices, software can be injected with malicious code during development.

In addition, identifying software vulnerabilities also requires the right tools, time, and expertise, which the insurer may not have. Moreover, during the production phase of the software, cybercriminals can exploit a zero-day vulnerability in the interim between the time the issue is discovered, and the patch is released by the vendor. 

Importance of Shifting Left in the Software Development Lifecycle

It is impossible to secure the software supply chain from outside the DevOps pipeline. Therefore, to reduce the chances of a successful software supply chain attack, software vendors must maintain a robust security posture across their infrastructure and implement adequate security measures to prevent cybercriminals from accessing the DevOps pipeline. In addition, they need to incorporate security best practices throughout the software development life cycle so that cybercriminals cannot use the software as a tool to launch downstream attacks.   

Here are some measures that software vendors must take to prevent attacks on the software supply chain: 

• Adhering to secure coding practices. Developers play a pivotal role in securing the software supply chain. They must adhere to secure design and coding practices such as input validation, output encoding, and parameterized queries. Additionally, they should use version control features and commit signing to track all changes made to the code with accountability to the individual developer.  

• Analyzing open-source components. Software developers should scan for vulnerabilities in open-source components before using them in application development to avoid typosquatting attacks.  

• Performing security testing. Software vendors need to conduct security testing such as penetration testing in-house and by third parties following the development process. 

• Implementing least privilege access. Software vendors must implement least privilege access to the DevOps pipeline to protect the code repository from unauthorized access and tampering. 

• Conducting security assessments. Software vendors should perform regular security scanning throughout the entire CI/CD pipeline, from build to test to deployment.  

• Securing the build Environment. Software vendors must implement robust security measures for build environments, including secure access controls, continuous monitoring, and vulnerability assessments. 

• Securing the codesigning process. Software vendors must adopt strong certificate management practices to ensure the security of code-signing certificates including secure storage, two-factor authentication, and regular certificate audits.  

Final Thoughts

Software supply chain attacks can rip through organizations of all sizes and industries with devastating consequences. The life insurance industry is particularly vulnerable to cyberattacks through its supply chain due to its size, scope, and the significant amount of sensitive data it collects manages, and stores, to operate effectively. All parties in the value chain need to acknowledge their responsibilities to ensure the integrity of the interconnected digital ecosystem. 

As a member of the value chain, Emtech Group Inc. recognizes the importance of software supply chain security and is committed to ensuring the security of its products and applications. Emtech offers customers peace of mind by implementing secure software development practices recommended by NIST and organizations such as BSA, OWASP, and SAFECode. Emtech QMT is built with secure software development practices and integrated with adequate security measures that support SOC 2 attestation and HIPAA compliance.