Getty Images

Securing your software supply chain

Organisations need to have a thorough understanding of software components and build security controls into development lifecycles to shore up the security of their software supply chains

This article can also be found in the Premium Editorial Download: Computer Weekly: How to secure your software supply chain

The rise of cyber attacks against software companies such as SolarWinds and the discovery of security vulnerabilities in popular open source software like Log4j used in critical systems have cast the spotlight on the security of software supply chains in recent years.

Following the SolarWinds and Log4j incidents, organisations in Asia-Pacific (APAC) have become more aware of the risks to their software supply chains and are taking concrete steps to mitigate them, says Kelvin Lim, director of sales engineering in APAC at Synopsys’s software integrity group.

But it’s not just those two incidents that have been driving awareness. Francis Ofungwu, global field chief information security officer at GitLab, says growing pressure to comply with standards bodies and government mandates is also pushing companies to take more steps to secure their software supply chain amid growing cloud adoption.

“There’s a direct correlation between the rise in adoption of cloud-native platforms and automation in APAC, and the increase in software supply chain threats and vulnerabilities,” he says. “As more organisations in the region seek to invest in digital transformation as a response to the restrictions of physical supply chains created by the pandemic, the importance of securing these digital assets has increased.”

Guna Chellappan, Red Hat’s Singapore general manager, notes that the software supply chain comprises everything and everyone that touches the code in the software development lifecycle, from application development to continuous integration and continuous delivery (CI/CD).

“It also encompasses the how, what and who is involved in software development,” says Chellappan. “In that aspect, software supply chain security takes in the best practices from risk management and cyber security to help protect the software supply chain from potential vulnerabilities that occur across hardware, software and the people involved in building the software.”

And at each stage of the software supply chain, potential vulnerabilities must be identified and addressed. Lim says this includes safeguarding the source code’s security, verifying the authenticity of third-party components, and safeguarding against cyber threats during software distribution and implementation.

Software supply chain security also applies to companies that are not developing their applications but are embedding third-party applications into their products.

Reducing software supply chain risks

Citing findings from Google’s State of DevOps report, Ofungwu notes that organisations that excel at security do so because of cultural practices, and not just technical offerings. These organisations see the value of unifying development, operations and security teams in their DevSecOps practices to achieve business outcomes.

Red Hat’s Chellappan concurs, calling for organisations to include security teams at the onset of DevOps initiatives to build in security and set a plan for security automation. “It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback and insights on known threats – like insider threats or potential malware,” he says.

“We’ve seen in recent supply chain attacks that time to recover is very dependent on how much you know about the composition of your software and how well your security and development teams collaborate”
Francis Ofungwu, GitLab

With DevSecOps as the underlying foundation for cyber resilience, the steps organisations can take to mitigate threats to their software supply chain are detailed below.

Apply controls throughout the development lifecycle

Achieving regulatory compliance and ensuring proper security relies on managing control points throughout the software supply chain, along with the visibility necessary to audit the results, notes GitLab’s Ofungwu.

For example, you should set controls for who can make changes to code and configurations, approve merge requests (that may have policy exceptions) and scan applications for vulnerabilities. Some of the common controls you’ll want to think about include segregation of incompatible duties, identity and access approval controls, configuration management, and change control, among others.

In terms of access controls, Chellappan calls for organisations to provide least-privilege access to resources across the supply chain such as developer tools, source code repositories and other software systems. This includes simple yet effective steps like enabling multifactor authentication and using strong passwords.

Vulnerability management and governance

Every organisation that uses or relies on software likely wants to deliver software faster to keep up with the speed of the market. To reach and maintain desired velocity while keeping vulnerabilities to a pragmatic minimum, security teams should make an ongoing effort to provide developers with the tools and data needed to identify and patch vulnerabilities as early as possible – especially those that are seen repeatedly.

To identify potential vulnerabilities, Synopsys’s Lim says organisations must have a thorough understanding of their software supply chains, including all components and dependencies. This can be done by using a software composition analysis (SCA) tool to audit each component’s security practices and controls. Alternatively, organisations can also engage consultancy services from reputable application security companies if they do not have in-house skillsets to conduct the audit or do not want to own the SCA tool.

Lim also advises organisations to develop their open source and third-party code usage policies to govern their open source and third-party component usage. They can draft their own policies or engage consultancy services from application security companies.

Read more about cyber security in APAC

Apply zero-trust principles

Zero trust is an approach that assumes hackers are going to get inside your network and focuses on protection from the inside rather than just the perimeter. Embracing this perspective, says Ofungwu, can protect the organisation from lateral attacks where hackers find an easy way in via a low-value asset, but then use privilege escalation and advanced techniques to reach mission-critical apps and data.

The modern software era relies much more on application code and the network, which makes zero-trust principles a necessity. Today’s complexities include application programming interface (API) secrets, containers, orchestrators, cloud services, templates and other tools your development team uses.

All of these provide additional attack surfaces. If an attacker exploits misconfigurations of one of these elements of your software supply chain, they may move laterally across applications, clusters and environments.

Industry frameworks

Ensuring software components are authentic and free of malicious code is one of the most difficult challenges in securing the software supply chain. Industry frameworks, such as Supply-chain Levels for Software Artifacts (SLSA) and software bill of materials (SBOM), have emerged to help developers and organisations address those challenges.

SLSA is a cross-industry effort under the auspices of the Open Source Security Foundation (OpenSSF) to ensure build and source code integrity, and to apply checks on software dependencies. It comprises four levels, starting from the documentation of the build process to ensuring the highest levels of confidence and trust through two-party reviews and hermetic builds.

SBOM, on the other hand, is an inventory of all software components and dependencies that are used to build and deliver an application. By understanding the building blocks of an application, organisations can better understand what’s being used and the risks involved.

Red Hat’s Chellappan says frameworks like SLSA are effective as they put an organisation on the right track in enhancing software supply chain security. “With an organised tiered approach, it provides an industry standard, a recognisable and agreed-upon level of protection and compliance. It also helps organisations prove to their customers that they are doing what they should be doing,” he says.

Although SLSA is still in the early stages of adoption, it offers a strong introduction to the threats that could affect source, build and deployment management phases, along with the corresponding controls on how to mitigate those threats. “Organisations that pair the recommendations of SLSA with supply chain records that detail the building blocks of an organisation’s software through SBOM are well on their way to demonstrating how secure their digital infrastructure is,” says Ofungwu.

As with any cyber security strategy, having an incident response plan is as important as any preventative step. “We’ve seen in recent supply chain attacks that time to recover is very dependent on how much you know about the composition of your software and how well your security and development teams collaborate,” says Ofungwu.

“Advancing visibility into the components that make up the development phases of your software (as recommended by SLSA) can facilitate quick identification, containment and remediation of the next supply chain attack. This visibility can be achieved through harmonising all pipeline activities into a single source of truth and continuously updating your software composition analysis and dependency records.”

Read more on Application security and coding requirements