Questions around software supply chain attacks aren’t leaving the industry conversation anytime because of the SolarWinds attack. It’s time to review your software supply chain security fundamentals. Now that we’re in 2021, we can all expect newfound attention on securing the supply chain inside business and government.
Let’s first define the role of the software supply chain in modern software development.
Software Supply Chain Explained
To prepare themselves for software supply chain attacks, teams need to understand the software supply chain’s operational role in their product development and services activities.
Much of the traditional security focus inside commercial and public sector enterprises is about compliance with end-user security. DevSecOps — still in its infancy — is starting early adopters on a journey to bring security into the start of the DevOps life cycle. It’s also breaking down the traditional silos that exist between developers and security.
Now enter the software supply chain, which follows a similar model as a manufacturing supply chain. One of the software supply chain’s primary jobs is to ensure that the right code is being developed for the program’s most essential features. When you consider the scale of enterprise applications, the correct code encompasses multiple applications, a potentially exhausting list of application features, plus internal and sometimes third-party development teams to maintain existing applications and create new code. Such a scale and complexity make it a growing attack vector.
So much has changed about large-scale software development over the last decade. A significant change is that today’s software supply chain includes a sourcing step. It works similar to the sourcing to the sourcing step in the traditional supply chain where your organization manages relationships with suppliers. The sourcing step is also where an organization buys parts or materials that are more efficient or cost-effective to outsource. For example, in enterprise software development, stakeholders use the sourcing step to purchase security software for integration into the products they’re developing if security isn’t part of their strengths. It’s also the step where organizations determine using open source software based on their products or as an integration option for features.
Whether the source is an open source project, a fledgling startup, or an offshore firm, organizations must put in the tools and processes to analyze the components’ quality and security entering their software supply chain. Such an analysis should include the following factors:
- Developer documentation, especially for the product’s application programming interface (API)
- Software support through community forums or fee-based arrangements with the developer
- Commercial and open source software licensing agreements
- Security features in the software
It’s also raising questions in the halls of Congress about whether the U.S. government has an adequate framework to assess the security of products upon which the government relies, according to CyberScoop.
We’ll be discussing the intricacies of open source software in the corporate software supply chain in a future blog post.
Software Supply Chain Security Fundamentals
Here are some fundamentals of software supply chain security to brush up on as you look to improve your supply chain security in 2021:
Practice Basic Cyber Hygiene
Like so much of cybersecurity as a discipline, start with security basics at the top of the list to maintain supply chain security.
Basic cyber hygiene starts with installing industry standards antivirus and malware software on any machine or mobile device that accesses the supply chain.
Another step is to set strong passwords, multifactor authentication, device encryption, and regular software updates for any machine or mobile device with access to the supply chain. You can enforce these policies from your enterprise mobility management (EMM) platform.
Other hygiene practices include using network firewalls to protect your software supply chain. You also need to back your systems up regularly and clean their hard drives on a regularly scheduled basis.
Include Software Supply Chain Attacks in your Threat Models
When creating or just updating your threat models, be sure to include supply chain attacks. While many analysts, pundits, say that SolarWinds did nothing wrong, that’s no excuse for you not to factor software supply chain attacks in your threat models.
Institute Proper Risk Management for your Supply Chain
The technology risk management discussion has mostly been devoid of the software supply chain, unfortunately.
My colleague Andre Neufville, an Anchore solution architect, speaks to the wisdom of instituting proper risk management in the DevSecOps pipeline and some other advice that you can also apply to your supply chain best practices.
Work with your Partners to improve Security Accountability
It’s one thing to manage your technology stack and supporting infrastructure; it’s another thing to secure and enforce your development partners that you have in your supply chain. While challenging to do, you can look at contractual measures to ensure security with enforceable penalties if broken. Unfortunately, such contractual agreements can be challenging to enforce.
There’s also seeking out third-party vendors who’re already adhering to your industry’s necessary compliance standards.
Implement Defense in Depth
Another option to explore if you have the budget is to implement defense in depth, where you treat every piece of software you bring into your supply chain as a malicious actor. It doesn’t matter if you source the software from your internal DevSecOps teams, a third-party supplier, an open source software project, or a combination of sources.
Defense in Depth requires your organization to put in the tools and processes to monitor everything that enters your supply chain. It’s an expensive measure to implement and out of reach for all but the largest of enterprises.
Remember that as software supply chain attacks continue to mount in the future, tactics will change, but the basic cybersecurity fundamentals will remain in place. Your DevSecOps team needs to work with your auditors and cybersecurity team to ensure that your supply chain security adheres to your required standards. Here are some key takeaways:
- Software supply chain security is the new hot button security concern for 2021.
- Start with the cybersecurity basics when securing your software supply chain, including strong passwords, multifactor authentication, and regular software updates.
- Include software supply chain attacks in your organization’s threat models if you aren’t doing that already.
- Institute proper risk management for your supply chain using the same practices you’re already applying to your organization’s software and business risk.
- Implement Defense in Depth treating everything that enters your supply chain as malicious (an expensive option!).