Supply Chain Attacks: Lessons from SolarWinds
In December 2020, we learned that SolarWinds Orion—a widely used IT monitoring platform—had been compromised. Attackers inserted malicious code into software updates, affecting 18,000 organizations including US government agencies. The implications for software supply chains are profound.
What Happened
The attack timeline:
- Compromise: Attackers gained access to SolarWinds’ build system
- Injection: Malicious code added to Orion software updates
- Distribution: Trojanized updates pushed to customers
- Activation: Malware activated in target networks
- Discovery: FireEye detected the breach months later
The sophistication was remarkable—the malware waited two weeks before activating and mimicked legitimate Orion traffic.
Why Supply Chain Attacks Work
Trust Relationships
Software vendor → Signs update → Customer trusts signature → Installs update
↑
Attacker inserts code hereWe trust our vendors. Attackers exploit that trust.
Attack Surface Multiplication
One compromised vendor = thousands of compromised customers.
| Traditional Attack | Supply Chain Attack |
|---|---|
| 1 target | 18,000 targets |
| Custom exploit | One exploit, many victims |
| Detection likely | Months undetected |
Build System Vulnerabilities
Build systems often have:
- Broad access to source code
- Limited monitoring
- Complex dependencies
- Infrequent security reviews
The Software Bill of Materials (SBOM)
Post-SolarWinds, SBOMs gained traction:
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "django",
"version": "3.2.0",
"purl": "pkg:pypi/django@3.2.0"
},
{
"name": "requests",
"version": "2.25.1",
"purl": "pkg:pypi/requests@2.25.1"
}
]
}Know what’s in your software. Track dependencies.
Defensive Measures
Dependency Verification
# Python: Hash verification
pip install --require-hashes -r requirements.txt
# requirements.txt with hashes
django==3.2.0 --hash=sha256:abc123...
# npm: Lockfile integrity
npm ci # Uses package-lock.json with integrity hashesBuild Reproducibility
# Pin EVERYTHING
FROM python:3.9.1-slim-buster@sha256:abc123...
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# Verify installed packages
RUN pip freeze > installed.txt && \
diff requirements.txt installed.txtMinimal Dependencies
# Before: 50 dependencies
import mega_framework_that_does_everything
# After: 3 dependencies
import specific_tool_for_specific_jobEach dependency is attack surface.
Private Package Repositories
# pip.conf
[global]
index-url = https://your-private-pypi.example.com/simple/
extra-index-url = https://pypi.org/simple/Mirror, verify, and control package sources.
Supply Chain Security Tools
| Tool | Purpose |
|---|---|
| Sigstore/Cosign | Sign containers and artifacts |
| in-toto | Verify supply chain integrity |
| SLSA | Supply chain security framework |
| Dependabot | Dependency vulnerability alerts |
| Snyk | Security scanning |
Signing and Verification
# Sign with cosign
cosign sign --key cosign.key myregistry/myimage:v1.0
# Verify before deployment
cosign verify --key cosign.pub myregistry/myimage:v1.0Organizational Changes
Zero Trust for Build Systems
Build System Security
- [ ] Minimal access (least privilege)
- [ ] Multi-party approval for changes
- [ ] Comprehensive logging
- [ ] Regular audits
- [ ] Isolated build environments
- [ ] Separate prod/dev build systemsVendor Assessment
Ask vendors:
- How do you secure your build pipeline?
- Do you sign releases?
- Can you provide an SBOM?
- What’s your incident response plan?
Incident Response
## Supply Chain Incident Response
1. Identify affected systems
2. Isolate compromised software
3. Assess data exposure
4. Notify stakeholders
5. Update and patch
6. Review and improveCI/CD Pipeline Security
# GitHub Actions with pinned actions
- uses: actions/checkout@v2.4.0
# Use commit SHA instead of tags
- uses: actions/setup-python@c4e89fac7e8767b327bbad6cb4d3a57930b59f0a
# Verify before deploy
- name: Verify signatures
run: cosign verify myimage:${{ github.sha }}The Long-Term View
Supply chain security is now a first-class concern:
- Executive Order 14028: US government mandates SBOM
- SLSA Framework: Industry standard emerging
- Sigstore adoption: Signing becoming default
Final Thoughts
SolarWinds was a wake-up call. Supply chain attacks will continue because they’re effective.
Defense requires:
- Know your dependencies (SBOM)
- Verify everything (signatures)
- Minimize attack surface
- Assume compromise (zero trust)
The trust we place in software must be earned and verified, not assumed.
Trust, but verify. Then verify again.