Software supply chain security combines best practices from risk management and cybersecurity to help protect the software supply chain from potential vulnerabilities. The software supply chain is made up of everything and everyone that touches your code in the software development lifecycle (SDLC), from application development to the CI/CD pipeline and deployment.
The supply chain includes networks of information about the software, like the components (e.g. infrastructure, hardware, operating systems (OS), cloud services, etc.), the people who wrote them, and the sources they come from, like registries, GitHub repositories, codebases, or other open source projects. It also includes any vulnerabilities that may negatively impact software security – and that’s where software supply chain security comes in.
Most software today isn’t written from scratch – it’s typically a combination of software artifacts containing open source software. However, these software artifacts are subject to vulnerabilities, and developers have less control over source code from a third party or any changes made to a software artifact over time. It’s important to note that unpatched software is more susceptible to security issues. Because software is essential to executing daily business operations, supply chain security is a crucial responsibility of every organization and security team.
Software company SolarWinds was breached in 2020 when attackers launched malicious code via its Orion IT monitoring and management software, a platform used among large corporations and government agencies. By attacking the supply chain, the hackers infiltrated not only SolarWinds but their customers as well. Log4j is a commonly used but widely exploitable open source software that has left countless users and organizations susceptible to data breaches and attacks. In 2021, the president of the United States highlighted the importance of software supply chains and security with 2 White House executive orders: supply chains and cybersecurity.
Risk to any component of the software supply chain presents a potential risk to every software artifact relying on that supply chain component. It provides hackers the opportunity to insert malware, a backdoor, or other malicious code to compromise any components and their associated supply chains. Software supply chain attacks, commonly carried out by profit threat actors and nation state actors, are rising and can have dramatic effects in both our digital and physical worlds. These generally fall into one of four types of risks:
- Vulnerabilities: are flaws in software code that could be exploited leading to a breach. Patch and update your software artifacts to minimize this risk
- Licensing: is a legal risk that could obligate you to make any resulting software artifacts open source and nullify patent rights. Consult legal experts in this area.
- Third party dependencies: are any dependency upon any outside organization as part of the software supply chain and are difficult to know. Analyze all third party code and talk to your suppliers about how they protect you.
- Processes and policies: are a problem if you do not have them. Create policies for your developers and processes (or playbooks) for when you need to respond to a vulnerability.
Common attack vectors include hijacking updates, undermining code signing, and compromising open source code.
DevSecOps is an approach to culture, automation, and software design that integrates security as a shared responsibility throughout the entire IT lifecycle. DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflows from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals.
While the software supply chain is made up of everything and everyone that touches your code, application security protects the code itself from attacks and vulnerabilities. Like software supply chain security, application security should be applied at every step of development.
Application security begins in the software development lifecycle and extends throughout the application lifecycle with the goals to prevent unauthorized access to your system and protect proprietary data. Strengthening the integrity of your supply chain can in turn increase application security. Hardening configurations, minimizing attack surfaces, restricting permissions, signing software, and distributing builds throughout different parts of your system are all ways to keep attackers from compromising your applications.
Software supply chain security is important to your organization, your customers, and any organization that relies upon open source contributions. While no organization wants to be breached, it also does not want to be responsible for another organization encountering a similar event. Implementing protections for your software supply chain is the key.
Outlined below are some security best practices that security teams should consider:
- Provide least privilege access to resources across the supply chain (e.g. developer tools, source code repositories, and other software systems), enable multi-factor authentication, and use strong passwords.
- Conduct regular security training for employees.
- Harden the security of all your connected devices and sensitive data.
- Know your suppliers and who you do business with, starting with your tier-one suppliers. Conduct risk assessments to evaluate each supplier's cybersecurity posture and public policies on vulnerabilities.
- Regularly scan and patch vulnerable systems.
Developers should also consider secure coding practices, using lock files, and other security-focused initiatives:
- Validate checksums.
- Include vendor dependencies into source control.
- Publish and consume the Software Bill of Materials (SBOM).
- Embrace Software chain Levels for Software Artifacts (SLSA), which includes:
- The ability to digitally sign your software artifacts to authenticate provenance.
- Leveraging automation for your processes and policies.
- Scan your software with automated security testing tools such as Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).
Red Hat understands the need to secure software components and dependencies early in the software development lifecycle and uses DevSecOps practices to automate the integration of security at every stage. Let Red Hat do the work of understanding the upstream supply chain and provide you with a product that you can rely upon and trust your business with 24/7. Red Hat and its partners bring expertise, a comprehensive DevSecOps ecosystem, and the ability to help organizations implement software supply chain security throughout the software development lifecycle.