Supply Chain Security in the Financial Sector

Initial Situation

For many years, supply chain attacks have been a major concern for cybersecurity experts, as an attack on a single supplier can trigger a chain reaction that puts an entire network of providers at risk. Malware is the predominant attack method, used in 62% of incidents. According to the ENISA report „Threat Landscape for Supply Chain Attacks,“ which analyzed 24 recent attacks, robust IT security is no longer enough for companies as attackers shift their focus to suppliers. The growing impact of these attacks is evident in system downtimes, financial losses, and reputational damage. Current forecasts predict that supply chain attacks will quadruple in 2021 compared to the previous year. This emerging trend underscores the need for companies and their decision-makers to take action. New protective measures must be urgently introduced to prevent potential future supply chain attacks and respond appropriately when necessary.

Development

The rising threat of malicious code injection makes it essential to secure internal code and structural dependencies, both in open-source and commercial tools. Leaks of trade secrets or other sensitive data, and code manipulation before release, are common consequences of a compromised software build and delivery pipeline. Therefore, software development leaders should collaborate with their security and risk officers to ensure the integrity of both internal and external code by enforcing strict version control. Common security recommendations include the use of artifact repositories for trusted content, managing vendor risks throughout the deployment lifecycle, and securing secrets and signing code and container images.

Application

In large development projects for software applications and services aimed at end-users, it proved to be a major challenge to coordinate the various delivery pipelines of different teams involved. Specifically, the automated detection of vulnerabilities and malicious code posed a significant challenge due to the varying levels of awareness among the different entities involved.

Supply Chain Security

The objective was to establish comprehensive supply chain security, leaving no security gaps from development to end-user that could compromise systems and processes. The desired risk management needed to include pipeline security, covering all tests and tools used, as well as ensuring security during the application’s runtime. Based on recommendations from previous positive experiences, the company reached out to CLOUDYRION, specialists in IT security based in Düsseldorf. The security service provider impressed with an approach that combined comprehensive consulting, technological expertise, and pragmatic, solution-oriented support for users.

Challenge

A systematic security-by-design approach was needed to ensure that software produced by numerous internal developers and suppliers was free of vulnerabilities and malware and ready for deployment to end customers. CLOUDYRION was tasked with optimizing the process from development to practical use with a focus on security, reinforcing governance to make the products safer for both end-users and enterprise customers. One key requirement was to achieve the state of Minimum Valuable Security within three months.

Challenges included:

• Technological diversity, ensuring full functionality in a hybrid cloud environment
• Rapid software release cycles and insufficient pipeline software guardrails for Application and Infrastructure-as-Code
• Geographical distance between teams
• Compliance requirements (GDPR and PCI-DSS)
• Insecure and highly segmented Continuous Integration/Continuous Delivery (CI/CD) tools

Solution

The process began with a detailed threat assessment. Together with the teams involved, CLOUDYRION identified potential attack vectors, attackers, and risk scenarios. Critical interfaces between the client and suppliers were thoroughly examined, including:

• Single Sign-On integration
• IPS systems
• Web application firewalls
• Identity & user access management: Assigning access rights and maintaining consistent role distribution for users
• Certifications such as ISO, PCI-DSS, etc.

Based on these findings, the security infrastructure design was adjusted, and appropriate measures were implemented to effectively eliminate the identified threats. Early on, the tight project timeline proved to be particularly challenging. With the start of the security-by-design process, the iterative implementation of key project steps accelerated, ensuring that a secure and compliant go-live could be achieved within the three-month deadline.

During the project, the client decided to extend the process beyond the minimum requirements to continuously reduce the attack surface and gradually increase security maturity. The key tasks for CLOUDYRION included:

• Developing a joint strategy with the client, defining and scheduling objectives
• Providing targeted support to teams in integrating SCA, DAST, or IAST into their pipelines and interpreting results correctly
• Designing detailed processes for the development phase, including the definition of risk-based pipelines (guardrails)
• Recommending a trusted container registry/software code repository approach to avoid the complexity of too many tools with similar functions. Centralization with approved tools led to standardized and controlled deployments.
• Hardening the CI/CD environment regarding security
• Evaluating the security level of external software suppliers

Outlook

In line with the company’s requirements, CLOUDYRION continued to provide advisory services beyond the three-month period after go-live. This long-term support proved beneficial, especially as the security consultants had successfully equipped the users with the necessary know-how to handle common runtime questions independently. As a result, Cloudyrion was primarily consulted for exceptional issues, such as the selection and implementation of an SCA enterprise solution that was previously absent. This strategic approach has proven to be effective and is recommended for future projects, even beyond the scope of supply chain security.