SOFTWARE SUPPLY CHAIN

How to Survive a State Actor's Attempt to Put a Backdoor in Your Code

Mark Maney
Head of Customer Success
March 7, 2022
Mark Maney is an accomplished customer success leader with ties to both civil and computer engineering and has overseen the product lifecycle in product management, development, implementation, and consulting roles. Outside of work, Mark can be found golfing, tinkering, or spending time with his wife, daughter, and energetic Basenji mix.

TL;DR

The threat of cyber-attacks against countries opposing the Ukraine invasion increases, putting targets on the backs of organizations in the west. White House and CISA declare US enterprises at risk – imploring companies to secure their infrastructure.  Adding to an already high-risk environment, Immediate action is needed to harden your company's production infrastructure and software supply chain. How? By deploying automated and regular analysis of your company’s development infrastructure.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Background: Understanding state actors and their motivations for backdoor attacks

Cyber-attacks targeting the U.S. and western corporate infrastructure are expected to increase this year as tensions rise in the East. With global relations continuing to decline due to Russia’s invasion of Ukraine, security experts foresee an increase in cyber threats world-wide with increased risk to organizations operating within countries that have expressed opposition to the invasion. So, if your organization has been putting off security hardening for “another day,” then today is probably that day.  


So, what makes this war different, and is there really a threat?

Russia has long been associated with cyber security threats, responsible for up to 58% of all cyber-attacks by nation-states based on Microsoft’s 2021 estimates.  Meanwhile, Russia, Belarus, and Ukraine are listed as the top 3 locations for outsourcing development talent for organizations, suggesting that developers in these countries have access to many companies source code. To be clear, this is a population of loyal and dependable professionals, which explains why 59% of organizations worldwide leverage their skills, but many internal security threats are created not through malice, but by accident. IBM estimates that up to 95% of data breaches are caused by human error, and war is guaranteed to bring distraction, if not directly applied pressure.

What does this Mean for American companies?

National security experts have been warning that the US is in a cyber war for some time now, with the complexity of attacks, and the scope of their impact increasing with each event. The threat of these attacks targeting private sector organizations increases with each sanction imposed on Russia. Recent attacks on corporate infrastructure such as the Colonial Pipeline and SolarWinds have called into question how prepared companies within the US are to prevent cyber threats, leading to a White House issued executive order to enhance U.S. Cybersecurity.  Biden, in conjunction with The Cybersecurity and Infrastructure Security Agency (CISA) issued a shield up alert for the private sector, with the first calls to action being tightening of security and improved detection of intrusion, but what actions are companies expected to take? With trusted partners in Russia, and organizations relying on Eastern European talent, blocking all traffic from Russia is simply not the solution.  

Discussions with our customers have raised two primary questions: How do we secure our company’s development stack while protecting the interest of our respected Eastern European developers? And how do we protect both our employees and company from outside influence?  


The answer is an active and behaviorally targeted security approach. Common sense approaches to security are a great start, and some simple but effective rules still hold true in the world of cybersecurity. Backdoor access is only needed when the front door is locked, and excessive permissions still make it difficult to guard all entry points of your company’s architecture, but passive security through regulation is not sufficient to defend against today’s level of sophistication in cyber threats.  
Actively monitoring your systems security with real time identification of anomalies is now a necessity, and access to immediate risk mitigation strategies while understanding what users are actually doing with their access permissions is the next step to maintaining a focused and agile cyber defense strategy.

Sign up to our social accounts below to follow our journey. We cannot wait to show you what's coming up next!

THE LATEST UPDATES

More from our blog

Guide to SCA and SAST: Secure Your Code Efficiently
Guide to SCA and SAST: Secure Your Code Efficiently
October 15, 2024
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
March 25, 2024
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
December 3, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}