Securing the Software Supply Chain
Securing the Software Supply Chain
In 2018, the Software Bill Of Materials (SBOM) emerged as one of the key building blocks toward the security of the supply chain in software development. An SBOM is essentially a structured list of software components that make up a software product . Last year (2021), it became a requirement for federal contractors in the US, following Executive Order (EO) 14028. This EO has also driven a number of other initiatives, including from NIST and CISA, to provide guidance around source code analysis and integrity, increase visibility and SBOM generation, the hardening of DevOps platforms, etc.
There is, indeed, increasing demand for software transparency in supply chain security, especially in the wake of high-profile cyber attacks targeting the supply chain. According to Revenera, 80% or more of the components in a single software application do not originate from the vendor selling the software. In reality, the supply chains of most organizations have grown so large, and are likely to change over time, the exact figures might even be unknown. Having an up-to-date and complete software assets inventory in place is still a major challenge for most organizations. In fact, beyond SBOMs, organizations also use many 3rd party applications to manage their security, CI/CD pipeline, analytics, sales, etc. According to Okta’s Business at Work 2022 report, the average number of apps organizations deploy increased to 89 this year (an increase of 24% since 2016). Larger companies (2K+ employees or more) deploy even more apps; 187 on average. Best practices and security considerations should also expand to these applications, many of which are part of the software lifecycle and contribute to the organization’s attack surface and cyber exposure.
Supply chain threats
Reducing the cyber exposure associated with the supply chain requires good visibility into the components that make up the software, as well as those that manage its pipelines, especially in DevOps. Figure 1, shows example threats spanning the CI/CD pipeline, where most of the tooling would originate from outside the organization itself.
Some of the threats shown in Figure 1, at the build stage, are linked to using untrusted sources or compromised dependencies. These have shown to be some of the most common attack vectors in recent supply chain attacks . For IT and security teams, it is important to be aware of these threats, to begin with. In fact, an SBOM by itself doesn’t prevent untrusted dependencies, but it can be incorporated into an organization's dependency management process that would include integrity checks or the storage of trusted copies in private artifact stores for instance.
Threat modeling is the process of identifying and addressing cyber security threats at the design level and accounting for mitigation measures that will help reduce the associated risk. Reliable inventories and the monitoring of threats at this stage will significantly increase development efficiencies and decrease security issues down the road.
Figure 1. Software supply chain threats (from the Google Cloud team).
Figure 2. OWASP Top 10 CI/CD security risks.
Securing the supply chain also means securing your CI/CD infrastructure. If a software vendor’s development process is breached, and malicious code implanted, that will propagate and penetrate deep into their customers' infrastructure. That’s what happened in the SolarWinds hack. The OWASP top 10 CI/CD security risks (Figure 2) helps defenders and threat modelers identify focus areas for securing their CI/CD ecosystem. Automated security tools and processes in emerging DevSecOps development practices are a good step toward securing CI/CD pipelines. However, threat modeling is necessary to include additional mitigations that cover abuses in access management, for instance, or the governance of 3rd party applications’ usage.
Stolen secrets, including digital certificates, also represent a major threat to the supply chain. Consider this: if a certificate, belonging to you or a partner, was to be compromised, security implications could be significant. An attacker can potentially authenticate as you or your partner, sign and distribute malicious code, or even use it to bypass inspection and protection systems. That’s what happened in the Mimecast certificate hack. Strong and mandatory IAM and code integrity policies must be followed to secure the build and update infrastructure.
Table 1. presents a few high-profile breaches and incidents, and associated supply chain threats. Properly securing supply chains is becoming increasingly urgent. The latest annual report from Sonatype reported an astonishing 742% average annual increase in software supply chain attacks over the past 3 years! In the next section, we will cover best practices and necessary controls to address threats and secure the supply chain.
Table 1. Example of known supply chain incidents and associated threats.