Software Supply Chain Security Services

Software supply chain security assessment services to mitigate supply chain cyber risk and build resilience against attacks and vulnerabilities.

Over the past 20 years, there has been one consistent security threat that keeps CISOs up at night: supply chain risk. With limited control or governance over their vendors’ ecosystems, managing the potential exposure and risk they present is a difficult task with significant consequences, if ignored.

Increasingly, supply chains are reported as a target for threat actors and a source of system compromise. A secure software supply chain requires meeting the following two objectives:

The software is free from vulnerabilities
The software is free from malicious code (malware)

Explore Cyber Risk

Cloud Security Services

Cyber Risk Retainer

Get a Quote

24X7 Hotline

The State of Software Supply Chain Security

Software supply chain attacks are hitting the bottom line

62% of CFOs cited attacks arising from venders as the top cause of significant cyber incidents

Approximately 70% of Applications Contain Flaws in Third-Party Code

In addition to software supply chains containing malicious code, they also face a growing number of software vulnerabilities

SBOMs Are Soon to Become More Commonplace

By 2026, 60% of organizations are expected to demand a software bill of materials (SBOM) to enhance transparency and security

1300% Increase in Threats via Open Source Software (OSS) Package Repositories

Over 11,000 malicious packages have been discovered on popular repositories like npm, PyPI, and RubyGem

Notable Software Supply Chain Incidents

MoveIt

Kroll received multiple reports that a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability would also enable a threat actor to move laterally to other areas of the network.

The file transfer app is used by thousands of organizations around the world, making this a significant Software Supply Chain cyber incident. A number of those organizations have suffered a data breach as a result of the vulnerability, with customer and / or employee data being stolen.

Log4j

Kroll alerted clients to the Log4j vulnerability and proceeded to work with several impacted customers. Our Kroll Responder team also refined telemetry searches to identify potentially impacted instances of Log4j in association with external connections to identify applications and hosts that need the most urgent attention.

Log4shell was a vulnerability in the logging tool Log4j, which was used by millions of computers running online services globally. The software supply chain attack impacted governments, organizations and individuals.

Software Supply Chain Security is Becoming a Blackhole of Risk

Seventy-two percent of organizations consider software supply chain security to be their biggest blind spot and this is no surprise given the number of vulnerabilities being discovered daily and the sheer amount of code embedded throughout the software supply chain which could be compromised.

As supply chains grow in complexity, the risk that different code sources present increases. In general, there are three types of code sources where vulnerabilities could lie, or malicious code could be introduced:

Third-Party Code – Code That You License or Acquire

Software dependencies (libraries, frameworks, and packages)
Operating systems and installed software
Container images

Runtime and orchestration environments
Cloud services

First-Party Code – Code That You Own And Write

Proprietary software
Infrastructure-as-code

Development Platform Tools – Managing and Delivering Code

Source code management
Dependency management
CI/CD

How do Software Supply Chains Become a Risk?

Developer produces vulnerable code
Malicious actor backdoors software
Upstream supplier outage or system failure causes downstream disruptions
Unauthorized, unreviewed and untested changes, resulting in new vulnerabilities and unstable systems
Service provider system compromise resulting in a data breach

Our Approach to Securing the Software Supply Chain

Kroll can help your business identify potential gaps, weaknesses and vulnerabilities in the software supply chain, give visibility into your third-party dependencies and identify misconfigurations that can lead to supply chain compromise. For clients, we undertake two clear processes in our approach to securing the software supply chain.

Operational Review and Report

The operational review maps the technology stack used to support applications adopted across the organization against the adopted capabilities (i.e., processes, practices and technologies) that support the organization's ability to obtain and maintain visibility about threats and vulnerabilities. The accompanying report will contain a matrix depicting the current state and gaps for controls and capabilities that prevent, identify and detect software supply chain security issues. This report will also contain recommendations for improvements and to fill gaps identified.

Technical Review and Report

The technical review encompasses a configuration review of platforms used to support development (e.g. source code management, CI/CD) and a point-in-time software review to identify known vulnerable or malicious packages. The accompanying report will contain the detailed findings from the configuration review(s) and dependency scans.

Include Software Supply Chain Security Assessments in Your Cyber Risk Retainer

Our software supply chain security assessments can be delivered as part of Kroll’s ultra-flexible cyber risk retainer, along with a variety of security advisory services such as Virtual CISO (vCISO) Advisory Services, Cybersecurity Due Diligence for M&A and Application Security Services. In addition to bringing solutions together in one flexible package, the retainer allows clients to gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.

Why Kroll ?

100,000+

Hours Of Offensive Security Work Per Year

3,000+

Incident Response Cases Per Year

100+

Cybersecurity Certifications

Connect with Us

Tiernan Connolly

Managing DirectorCyber and Data ResilienceDublin

Tiernan Connolly [email protected]+353 14283125

Rahul Raghavan

DirectorCyber and Data ResilienceToronto

Rahul Raghavan [email protected]

Krishna Raja

Managing DirectorCyber and Data ResilienceToronto

Krishna Raja [email protected]+1 4166433506

Stay Ahead with Kroll

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Learn More

Application Security Services

Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.

Learn More

Cybersecurity Due Diligence Services

Evaluate the cybersecurity risks associated with business transactions.

Learn More

AI Security Testing Services

Kroll’s offensive security experts test artificial intelligence (AI), large language model (LLM) and machine learning (ML) technologies to enable systems to follow fundamental security principles and reduce risk to organizations.

Learn More

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Learn More

Cloud Penetration Testing Services

Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.

Learn More

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn More

Microsoft 365 Security Assessment

Fortify your defenses and maximize your technology investment with a Microsoft 365 security assessment from Kroll.

Learn More

Let's solve for the future

Yes, I would like to receive periodic event invitations, reports and news from Kroll.

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.