Building Your Secure Software Supply Chain

A secure software supply chain requires that developers be vigilant from start to finish. The software supply chain is comprised of hardware, code, libraries, and tools that turn that code into a deliverable, and its breadth and increasing importance means it has become an attractive target for cyberattacks. If one link fails, it will impact everything else in the ecosystem.

Many attacks are aimed at compromising a software vendor by injecting some form of malware or vulnerability during the development process to be able to exploit the final customer with dire consequences. With the growing use of infrastructure as code (IaC), threats in the software supply chain now potentially target not just software and applications, but the underlying infrastructure as well.

Attacks targeting the software supply chain are no longer limited to internal processes. A company’s attack surface has broadened, so today, all third parties that contribute to the supply chain must ensure that they are not a gateway for attackers.

But just as it is impossible to secure everything with traditional security, the same holds true for securing the software supply chain, especially because new kinds of software supply chain attacks are constantly being discovered. That doesn’t mean you shouldn’t use available resources and guidance to be proactive.

Tips For a Secure Software Supply Chain at All Stages

During the code and development stage, the Recommended Minimum Standards for Vendor or Developer Verification (Testing) of Software Under Executive Order (EO) 14028 includes a set of techniques as the minimal safety requirements for the software development life cycle. Each step should be followed:

• Apply threat modeling to identify key or potentially overlooked testing targets.
• Automated testing.
• Code-based (static) analysis, using a code-scanner, and review.
• Dynamic analysis, with built-in checks and protections, black-box and fuzzy testing, web-app scanner, etc.
• Apply similar checks to include third-party software dependencies.
• Remediate critical bugs as soon as possible.

It is not enough to secure the code and the development process; security must be pervasive during all development stages and instilled in the company-wide culture and practices.

The Defending Against Software Supply Chain Attacks guide from Cybersecurity and Infrastructure Security Agency lays out six phases in the SDLC where it maintains “software is at risk of malicious or inadvertent introduction of vulnerabilities”:

• Design
• Development and production
• Distribution
• Acquisition and deployment
• Maintenance
• Disposal

In terms of other resources for guidance on securing the software supply chain, Safeguarding artifact integrity across any software supply chain is a vendor-neutral framework from the Linux Foundation, VMware, Intel, Google, and others. It offers a common language for increasing levels of software security and supply chain integrity for any developer or enterprise working with the software. Each level provides an increasing degree of confidence to indicate that the software hasn’t been tampered with, the builds are trustworthy and the environment is fully accounted for.

Because Kubernetes and containers are so common today, the NSA/CISA has also released a Kubernetes Hardening Guidance, highlighting “supply chain risks” as one of three sources of compromises, and proposing the following hardening measures and mitigations:

• Scan containers and pods for vulnerabilities or misconfigurations.
• Run containers and pods with the security principle of least privilege.
• Utilize network separation and hardening to control the amount of damage a compromise can cause.
• Use firewalls to limit unnecessary network connectivity and encryption to protect confidentiality.
• Use strong authentication and authorization to limit user and administrator access, as well as to limit the attack surface.
• Uselog auditing/alerting so that administrators can monitor activity and be alerted to potential malicious activity
• Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.