Software supply chain security risks continue to be a growing concern for commercial and public sector enterprises after the high-profile SolarWinds and Codecov attacks. The Gartner report, How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks, outlines how software engineering leaders can best guide their teams to protect the integrity of the software delivery process and mitigate software supply chain security risks by adopting the practices described in this research.
In this complimentary Gartner report, you’ll learn about:
- Hardening the software delivery pipeline
- Securing the operating environment for software engineers
- Protecting the integrity of internal and external code
- Countering the threat of software supply chain attacks
“By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
Highlights from the Report
Protect Internal and External Source Code
Failing to enforce security controls in source code can be a vital error in a software build. The use of version control systems and artifact repositories can expose source code to malicious tampering.
The Gartner report recommends three best practices for securing source code:
- Strong version control policies using version control systems
- Trusted component registries locked down
- Third-party risk management
Harden the Delivery Pipeline
Managing software supply chain risks requires strengthening the software delivery pipeline. Gartner recommends three practices to strengthen software delivery pipeline security.
- Implement secrets management by not hard-coding secrets in code. Configuration files significantly increase the risk of compromising build pipelines and development environments. It’s best to be proactive with this issue.
- Verify source code and binaries’ integrity through hashing and signing. Committing files to a VCS produces hashes (unique identifiers). These hashes help validate that the files are not altered in transit. File hashes generated by the compiler during continuous integration/continuous development (CI/CD) can be compared to those generated by static file analyzers during scanning. This strategy ensures that the code that ships to customers is the same code that your security team scanned.
- Configure CI/CD pipelines with elevated security and access controls, as they may be turned off by default. Tools to protect software code integrity should also be present in the pipeline.
Secure the Operating Environment for Developers
Because software development environments span multiple distributed systems, platforms, and tools, they represent unique software supply chain security challenges. Here are best practices that Gartner recommends to secure the developer’s operating environment:
- Least privilege access policies and methods to connect securely to different machines on a network and elevated system privileges allow attackers to infiltrate other machines and services once they access one system. Elevated system privileges is another OS attack risk.
- Machine Identity Management to authenticate distributed application architectures, cloud-native infrastructure, and APIs-as-products have increased the granularity and volume of machine identities.
- Anomaly Detection and Automated Response to detect and respond to anomalies before damage is done to software code. Malicious attacks on software development pipelines have a high likelihood of surfacing as an anomalous activity
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.