#HowTo: Strengthen Supply Chain Security

High-profile cyber incidents, such as the cyber-attacks on SolarWinds and Microsoft Exchange Servers, have directed attention to the resilience of supply chains. These attacks demonstrated how vulnerabilities in third-party products and services can be exploited by cyber-criminals, affecting hundreds of thousands of organizations at the same time.

The fact is that software supply chain attacks are fast increasing: by 300% in 2021. Bad actors are focusing on source code to generate weaknesses and open backdoors to critical applications. Whether it is vulnerable open-source software, compromised container images or unauthorized access to code, there are plenty of ways to be exploited.

The National Cyber Security Centre (NCSC) has issued practical steps to help tackle the significant increase in the number of cyber-attacks resulting from supply chain vulnerabilities. The guidance is a step in the right direction as it focuses on the third-party aspect of security, which has been overlooked in most organizations’ security strategies. However, when it comes to software supply chains, they are composed of a mix of third-party software, proprietary software and open-source. 

We can identify three main layers that organizations should secure in their software supply chain:

  • Code and image scanning: there are various types of scans, such as SCA, IaC, sensitive data, SAST, etc. The aim is to release software with secure code and to grade every open-source package based on quality, maintainability, popularity and risk.
  • Secure the process: gain full visibility across all the pipelines in your organization, recording every step and action from the moment a developer has committed code through the build process up until the final new artifact is generated while being able to produce a software bill of materials (SBOM).
  • Harden the environment: fix dangerous misconfigurations of your DevOps platform, and establish a zero-trust DevOps environment by enforcing least privilege access and implementing best practices.

How can we execute these ambitions in practice? Follow these simple guidelines:

  • Connect your security teams, DevOps and developers with an end-to-end solution built to halt software supply chain attacks. Find an integrated cloud-native application protection platform (CNAPP) that will protect against supply chain threats from code through to runtime and ensure defense during the entire software development lifecycle across the application and the underlying infrastructure.
  • Leverage zero trust DevOps and CI/CD posture management to support least privilege access and reduce security risks that arise from potentially dangerous misconfigurations in DevOps platforms, such as GitHub, Jenkins and Nexus. This will also quickly identify insider threats, such as bulk changes to user account access, the removal of required security checks or changes to a sensitive code repository.
  • Introduce automated controls to highlight new or non-compliant CI pipelines and apply customizable security assurance policies with one click. These controls should also allow the creation of individual enforcements that will ensure every newly built artifact is signed and scanned for vulnerabilities, secrets and infrastructure as code (IaC) misconfigurations. 
  • Take advantage of next-generation SBOM abilities, allowing developers to record every action on the path to eventual artifact creation. Using this ability means developers can be reassured that the code they create is the same code that ends up in the development toolchain.
  • Use automated open-source health evaluations to rate every open-source package and provide real-time alerts to developers when potentially dangerous packages are picked up.

Introducing proactive security to your software supply chain will ensure release quality, while an all-in-one, integrated, robust threat analysis and runtime defense platform will guarantee day one security and protection across every layer. That means you can stop cloud-native attacks before any damage is done.

What’s Hot on Infosecurity Magazine?