CEO of GitGuardian, a code security platform for the DevOps generation.
If you have developers building software for you, even if you don’t sell software, you’re a “software company.” And if you’re a software company, your software supply chain is an attack vector for hackers to gain access to your privileged systems, data and sometimes even the systems of your customers, partners or vendors.
As the CEO of a cybersecurity company that helps secure the software supply chain, my inbox is littered with stories of companies that found their systems compromised by hackers who found a figurative key under the doormat or ways to weaken the door’s construction. These hacks were achieved by attacking the software supply chain.
As a C-suite executive, how can you be confident your software supply chain is secure? Let me give you a quick tour of the software supply chain and what you can do to help you trust in the safety of yours.
What A Software Supply Chain Is
The software supply chain covers every stage of the software development life cycle (SDLC), from planning through deployment, along with the people, tools and systems involved in producing the software deployed for use. This can include the coding environments used by developers, third-party frameworks or libraries, version control systems, container management and orchestration tools, continuous integration and delivery (CI/CD) tools, testing tools and more.
Why It’s A Target
Attackers exploit supply chain vulnerabilities because the supply chain is often less well-guarded than production systems. Think of a military base as your system. Getting past the gate (production) to attack your soldiers is going to be difficult because that point is often highly hardened against attack.
Slipping itching powder into the off-base laundry facility that washes the base’s bedsheets, or listening to the conversations of base employees when they’re off-base (supply chain), may be easier. Unintentional disclosure and under-secured pre-production systems are things attackers have exploited and continue to exploit.
How can the base guard against these? Training for workers and regular reminders of best practices, like the American “loose lips sink ships” campaign, can help prevent unintentional disclosure. Testing the bedsheets between arrival from the laundry and distribution to the barracks can help catch an itching powder attack before it reaches the troops. And these are just some of the options.
Attackers are probing and watching all of your attack surfaces. The least guarded point can provide them entry to sensitive systems to exfiltrate data or install malware.
What Makes The Software Supply Chain Vulnerable
Numerous components, from coding and deployment to running in production, create multiple entry points for attackers. They can be broken into two categories: internal and external.
• Internal Supply Chain: This is the code your developers write and the tools they use. It includes version control systems, container registries and build scripts where your developers may accidentally expose “secrets” like passwords, private keys or API keys that can be discovered by attackers to gain access or make the access they gained much worse for you.
Sometimes this happens because a hacker finds the key exposed publicly in a repository like GitHub, or a hacker gains access to a development environment and finds a treasure trove of secrets in plaintext that increase the severity of the intrusion.
• External Supply Chain: Much modern software has external dependencies on third parties (libraries, packages, frameworks, SaaS). These may be exploited through hackers corrupting dependencies with hidden malware or leveraging known vulnerabilities in outdated/unpatched dependencies.
Having A Talk With Your CTO/CISO
“How are we ensuring our software supply chain’s integrity?” is a good starting question. Here are six things to look for in their answer or ask about as follow-ups.
1. Conducting Regular Audits: Periodically review third-party tools, libraries and dependencies. Review your software bill of materials (SBOM) and use software composition analysis (SCA).
2. Safeguarding Secrets: Use tools to detect and remove hardcoded secrets from codebases. Implement secure vaults for secret management.
3. Implementing The SLSA Framework: Follow its guidelines to improve supply chain security progressively.
4. Training And Educating Your Developers: Provide training on secure coding practices, avoiding phishing attacks and the importance of verifying third-party tools and libraries.
5. Staying Updated On Best Practices: Regularly consult updates from authorities like CISA and NIST.
6. Creating Playbooks: Have well-defined processes in place to respond to and remediate different types of vulnerabilities and exploits when they’re detected. Hope for the best; prepare for the worst.
Conclusion
Software supply chain security is vital to your business. Awareness, proactive measures and continuous vigilance are crucial keys to safeguarding your code at every stage, from planning and development to deployment. From frontline practitioners to the CEO, everyone should be aware of software supply chain security to ensure organizational resilience against evolving threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here