Cyberattacks on the digital supply chain have become increasingly common, as hackers seek out weak links among makers of computer code and equipment to breach organizations that depend on the technologies.
In 2020, for example, hackers suspected of working for Russia’s intelligence services used tampered updates from software maker SolarWinds Corp. to infiltrate nine US government agencies. Last year, hundreds of businesses were compromised with ransomware after the breach of another software provider, Kaseya Ltd. And several months later, the discovery of a flaw in open-source software called Log4j was followed by attacks by hackers in China, Iran and North Korea.
Now, in response, a growing number of startups are emerging to tackle one of the industry’s hardest problems.
Global sales of technologies to secure the software development cycle were $3.7 billion last year and expected to more than double, to $9.2 billion, in 2026, said Katie Norton, a senior research analyst with IDC Corp. Palo Alto Networks Inc. and Tenable Holdings Inc. were among cybersecurity companies that made acquisitions in the space last year, and Microsoft Corp. and Alphabet Inc.’s Google have released tools to help prevent attacks against software development pipelines, she said.
“There are a lot of solutions and tools emerging,” Norton said. “The combination of nascency with urgency is just really overwhelming.”
Feross Aboukhadijeh, a prolific open-source developer, said he realized early in his career how fragile the foundations of modern software were. “It was mind-blowing to me that all these organizations were using my code-–the code of a random 20-something,” he said.
Those concerns were reinforced in 2018 after open-source code maintained by a friend was hacked. Later, Aboukhadijeh created an encrypted file-sharing program that contained more than 90% open-source code, and he realized he had no reliable way to search for vulnerabilities.
“How could we know for sure that our app was secure if we weren’t even reading any of the code?” he said. “No one had a scalable solution to the problem.”
In 2020, he started San Francisco-based Socket Inc., which examines open-source software packages and flags potential dangers.
Kirkland, Washington-based Chainguard Inc., whose founders come from VMware Inc. and Google, is another company trying to bring more accountability to open-source software. Its technology creates a chain of custody, assessing the origin and trustworthiness of the code.
“People just don’t even know what they’re running and what they’re depending on in their systems,” said Kim Lewandowski, one of the founders.
An executive order that US President Joe Biden issued last year on cybersecurity was a major catalyst for the industry, including a mandate that companies selling to federal agencies provide a “software bill of materials” — the ingredients in their code, computer security experts said.
Supply-chain attacks are growing in part because operating systems and web browsers — hackers’ usual targets — are now harder to hack, said Window Snyder, who’s held senior roles at Microsoft, Apple Inc. and Intel Corp. At the same time, a range of connected devices, including baby monitors and smart doorbells, are proliferating with code that often suffers from basic vulnerabilities, which creates openings into personal and corporate networks, she said.
“We see a real dearth of security protections,” said Snyder, who in 2020 founded San Francisco-based Thistle Technologies Ltd., whose tools help device makers write and update their code securely.
Technology has become so complex that many organizations don’t know all the software they’re using, let alone whether it’s secure, said Renaud Feil, founder of Paris-based Synacktiv, a company that’s hired to hack into products to help fix vulnerabilities.
“In some code we’ve reviewed, the company is just writing 1% of the code base,” he said. “The rest is third-party software, framework, libraries.”
Firmware — code that controls a computer’s hardware — is another area where more attacks are being found. Earlier this year, an Iranian firm called Amnpardaz Soft Corp. and Moscow-based Kaspersky separately published details of new firmware implants they discovered.
Two companies developing tools to detect firmware vulnerabilities include Portland-based Eclypsium Inc. and Pasadena, California-based Binarly Inc. Cycuity, in San Jose, California, has created methods to inspect chip designs to spot security problems.
But technology alone can only go so far in preventing attacks, said Justin Cappos, associate professor of computer science and engineering at New York University. Organizations need to “holistically examine” how their technologies are built, starting with software, he said.
“If you can ensure the right processes are being followed,” he said, “you can nip a lot of these problems in the bud.”