3 Pillars of Software Supply Chain Security


GUEST REVIEW by Lawrence Crowther, Head of Solutions Engineering, Snyk: Software supply chain attacks have accelerated in recent years, aimed at hitting organizations’ development environments.

There have been regular examples of successful attacks, including the Kaseya hack in July 2021 after an attacker was able to bypass its authentication method and inject malicious code, or the attack on SolarWinds in December 2020, impacting 18,000 customers after an attacker exploited a vulnerability in their IT. management software. In fact, these major attacks appear to be just the tip of the iceberg, with Gartner predicting that by 2025, 45% of organizations worldwide will have experienced attacks in their software supply chains, a three compared to 2021.

Why are threat actors increasingly interested in targeting this environment?

The software supply chain is the sum of all activities required by an organization to create, produce and distribute software. It can be compared to manufacturing supply chains where traditionally a variety of activities turn raw materials into finished products.

In comparison, in the software supply chain, development processes turn code and other third-party components into software, and involve development teams, tools, and processes to create, package, and deploy the application, as well than the infrastructure used to run it.

Modern software development has made the software supply chain more complex than it was just a few years ago, and therefore more difficult to protect. This growing complexity is driven by growing consumer expectations for better products and applications, rapid evolution of technology opening up new possibilities, especially around cloud technologies, shift towards CI/CD and DevOps practices, or increased use of external services when building software.

As organizations strengthen their security posture, software development and distribution channels may lack sufficient protection to match the rest of the network. Therefore, infecting software at these stages of the lifecycle with malicious code increases the chances of it going unnoticed, and thus successfully infiltrating the network. These changes and trends have resulted in extremely complex software supply chains that provide malicious actors with a larger target to attack.

Building a Framework for Software Supply Chain Security

Since this space is constantly evolving and a very active area of ​​research, various software supply chain security frameworks are offered. However, here are the three main pillars that organizations should focus on to strengthen their software supply chain security.

1. Secure your code

As a raw material and key ingredient used in the software supply chain, code integrity should be one of the fundamental steps in strengthening software supply chain security, whether developed in-house or taken from an external source.

Because it’s at the heart of the process, it’s also the hardest to secure, and there are many considerations for organizations looking to secure their code. They include identifying vulnerabilities in open source packages, securing containers, creating and maintaining a software bill of materials (SBOM), detecting flaws in client code, or using the infrastructure as a as code (IaC). Using tools capable of providing software composition analysis (SCA), source code analysis (SAST), or IaC security are options that security managers can consider to strengthen their code security postures. You should also consider securing your third-party apps that other vendors provide to you. This can be done by new emerging standards for SBOM such as SPDX and CycloneDX to inspect the hidden vulnerabilities of these products.

2. Secure your pipelines

Development workflows or pipelines represent the various tools, processes, and methodologies that turn raw materials, i.e. code, into a product. Software supply chain attacks often target this step, leveraging the fact that it can give cybercriminals access to customer resources and sensitive data.

In software supply chain, the build process or assembly line is responsible for compiling various codes into a software build. The complexity of this step can allow malicious actors to navigate their way through the required authentication and compromise the integrity of a build pipeline. For example, in October 2021, GitHub discovered that attackers had used GitHub Actions to bypass required review and push unexamined and malicious code to a protected branch. This issue has since been fixed, but highlights the importance of securing pipelines and carefully reviewing the tools and infrastructure used.

Source code management (SCM) systems are another key link in the software supply chain that attracts attackers. Because it acts as the central hub of the software development cycle, if an attacker is able to infiltrate it, they can access software source code, modify configurations, inject malicious code, hijack identify or even provision vulnerable infrastructure. Modern SCMs provide specialized functionality and configuration settings such as access policy controls and branch protection that can be leveraged to enhance security. These mechanisms are not always enabled by default and must be set explicitly.

3. DevSecOps

Development, Security, and Operations – also known as DevSecOps – refers to the integration of security practices throughout the IT lifecycle based on the cultural foundation that delivering secure software is a shared responsibility. While there are historical challenges in establishing this culture among development teams, they include many benefits that organizations should try to display again and again to achieve a true DevSecOps approach.

These include faster delivery, reduced costs, and a stronger security posture, all contributing to greater overall business success. Key elements of the model align well with a software supply chain security framework, such as integrating security as early as possible during and throughout software development, and automating testing and security validation to minimize human error. In the context of software supply chain security, DevSecOps also reduces the likelihood of an attacker compromising a development pipeline.

Conclusion

Supply chain attacks are an evolving phenomenon, as are guidelines to help mitigate the threat. However, security managers need to understand the main pillars that can help strengthen a software supply chain’s security framework to build a company’s resilience and work with other stakeholders in the development process. software to ensure that the foundations are treated.

Previous SBC Summit Barcelona 2022 Keynote Speaker Announcement
This is the most recent story.