Software Supply Chain Security Services

Leverage unique DevSecOps, offensive security and incident response expertise to evaluate and harden your software supply chain security risks. Merging software development and advanced security testing techniques, our assessment identifies malicious code and vulnerabilities that may lead to a cyber incident.
Talk to a Cyber Expert

Over the past 20 years, there has been one consistent security threat that keeps CISOs up at night: supply chain risk. With limited control or governance over their vendors’ ecosystems, managing the potential exposure and risk they present is a difficult task with significant consequences, if ignored.

Increasingly, supply chains are reported as a target for threat actors and a source of system compromise. A secure software supply chain requires meeting the following two objectives:

  • The software is free from vulnerabilities
  • The software is free from malicious code (malware)

The State of Software Supply Chain Security

Software supply chain attacks are hitting the bottom line

62% of CFOs cited attacks arising from venders as the top cause of significant cyber incidents

Approximately 70% of Applications Contain Flaws in Third-Party Code

In addition to software supply chains containing malicious code, they also face a growing number of software vulnerabilities

SBOMs Are Soon to Become More Commonplace

1300% Increase in Threats via Open Source Software (OSS) Package Repositories

Over 11,000 malicious packages have been discovered on popular repositories like npm, PyPI, and RubyGem

Notable Software Supply Chain Incidents

MoveIt

Kroll received multiple reports that a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability would also enable a threat actor to move laterally to other areas of the network.

The file transfer app is used by thousands of organizations around the world, making this a significant Software Supply Chain cyber incident. A number of those organizations have suffered a data breach as a result of the vulnerability, with customer and / or employee data being stolen.

 

Log4j

Kroll alerted clients to the Log4j vulnerability and proceeded to work with several impacted customers. Our Kroll Responder team also refined telemetry searches to identify potentially impacted instances of Log4j in association with external connections to identify applications and hosts that need the most urgent attention.

Log4shell was a vulnerability in the logging tool Log4j, which was used by millions of computers running online services globally. The software supply chain attack impacted governments, organizations and individuals.

How do Software Supply Chains Become a Risk?

  • Developer produces vulnerable code
  • Malicious actor backdoors software
  • Upstream supplier outage or system failure causes downstream disruptions
  • Unauthorized, unreviewed and untested changes, resulting in new vulnerabilities and unstable systems
  • Service provider system compromise resulting in a data breach

Our Approach to Securing the Software Supply Chain

Kroll can help your business identify potential gaps, weaknesses and vulnerabilities in the software supply chain, give visibility into your third-party dependencies and identify misconfigurations that can lead to supply chain compromise. For clients, we undertake two clear processes in our approach to securing the software supply chain.

  • Operational Review and Report

The operational review maps the technology stack used to support applications adopted across the organization against the adopted capabilities (i.e., processes, practices and technologies) that support the organization's ability to obtain and maintain visibility about threats and vulnerabilities. The accompanying report will contain a matrix depicting the current state and gaps for controls and capabilities that prevent, identify and detect software supply chain security issues. This report will also contain recommendations for improvements and to fill gaps identified.

  • Technical Review and Report

The technical review encompasses a configuration review of platforms used to support development (e.g. source code management, CI/CD) and a point-in-time software review to identify known vulnerable or malicious packages. The accompanying report will contain the detailed findings from the configuration review(s) and dependency scans.

Include Software Supply Chain Security Assessments in Your Cyber Risk Retainer

Our software supply chain security assessments can be delivered as part of Kroll’s ultra-flexible cyber risk retainer, along with a variety of security advisory services such as Virtual CISO (vCISO) Advisory Services, Cybersecurity Due Diligence for M&A and Application Security Services. In addition to bringing solutions together in one flexible package, the retainer allows clients to gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.

Why Kroll ?

100,000+

Hours Of Offensive Security Work Per Year

3,000+

Incident Response Cases Per Year

100+

Cybersecurity Certifications

Talk to a Kroll Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page. 

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Application Security Services

Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.

Cybersecurity Due Diligence for M&A

Pre and Post-transaction assessment can uncover costly risks.


AI Security Testing Services

AI is a rapidly evolving field and Kroll is focused on advancing the AI security testing approach for large language models (LLM) and, more broadly, AI and ML.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Cloud Penetration Testing Services

Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Microsoft 365 Security Assessment

Fortify your defenses and maximize your technology investment with a Microsoft 365 security assessment from Kroll.