Hackers targeting tech supply chains spur security start-up boom
Cyberattacks on the digital supply chain have become increasingly common, as hackers seek out weak links among makers of computer code and equipment to breach organizations that depend on the technologies.
In 2020, for example, hackers suspected of working for Russia’s intelligence services used tampered updates from software maker SolarWinds to infiltrate nine U.S. government agencies.
Last year, hundreds of businesses were compromised with ransomware after the breach of another software provider, Kaseya.
And several months later, the discovery of a flaw in open-source software called Log4j was followed by attacks by hackers in China, Iran and North Korea.
Now, in response, a growing number of start-ups are emerging to tackle one of the industry’s hardest problems.
Global sales of technologies to secure the software development cycle were $3.7 billion last year and expected to more than double, to $9.2 billion, in 2026, said Katie Norton, a senior research analyst with IDC.
Palo Alto Networks, and Tenable Holdings were among cybersecurity companies that made acquisitions in the space last year, and Microsoft and Alphabet’s Google have released tools to help prevent attacks against software development pipelines, she said.
“There are a lot of solutions and tools emerging,” Norton said. “The combination of nascency with urgency is just really overwhelming.”
Feross Aboukhadijeh, a prolific open-source developer, said he realized early in his career how fragile the foundations of modern software were.
“It was mind-blowing to me that all these organizations were using my code-the code of a random 20-something,” he said.
Those concerns were reinforced in 2018 after open-source code maintained by a friend was hacked.
Later, Aboukhadijeh created an encrypted file-sharing program that contained more than 90% open-source code, and he realized he had no reliable way to search for vulnerabilities.
“How could we know for sure that our app was secure if we weren’t even reading any of the code?” he said. “No one had a scalable solution to the problem.”
In 2020, he started San Francisco-based Socket, which examines open-source software packages and flags potential dangers.
Kirkland, Washington-based Chainguard, whose founders come from VMware and Google, is another company trying to bring more accountability to open-source software.
Its technology creates a chain of custody, assessing the origin and trustworthiness of the code.
“People just don’t even know what they’re running and what they’re depending on in their systems,” said Kim Lewandowski, one of the founders.
An executive order that President Biden issued last year on cybersecurity was a major catalyst for the industry, including a mandate that companies selling to federal agencies provide a “software bill of materials” – the ingredients in their code, computer security experts said.
Supply-chain attacks are growing in part because operating systems and web browsers – hackers’ usual targets – are now harder to hack, said Window Snyder, who’s held senior roles at Microsoft, Apple and Intel.
At the same time, a range of connected devices, including baby monitors and smart doorbells, are proliferating with code that often suffers from basic vulnerabilities, which creates openings into personal and corporate networks, she said.
“We see a real dearth of security protections,” said Snyder, who in 2020 founded San Francisco-based Thistle Technologies Ltd., whose tools help device makers write and update their code securely.
Technology has become so complex that many organizations don’t know all the software they’re using, let alone whether it’s secure, said Renaud Feil, founder of Paris-based Synacktiv, a company that’s hired to hack into products to help fix vulnerabilities.
“In some code we’ve reviewed, the company is just writing 1% of the code base,” he said. “The rest is third-party software, framework, libraries.”
Firmware – code that controls a computer’s hardware – is another area where more attacks are being found.
Earlier this year, an Iranian firm called Amnpardaz Soft Corp. and Moscow-based Kaspersky separately published details of new firmware implants they discovered.