With cybersecurity & ransomware attacks on the rise, strengthening our defenses towards ensuring the safety & privacy of customer data has assumed paramount importance. One of the major challenges in this endeavor today is to manage the risk associated with integrating open-source software in the products that we develop. This is where Software Supply Chain Security swoops in and, potentially, saves the day.
The sources of attack on a supply chain can be varied & need not be relegated to just the piece of software being shipped or the vulnerabilities therein. For this post, however, we shall be limiting the scope of discussion to the cybersecurity aspect & shall be discussing various efforts towards improving the security in this space.
So what is Software Supply Chain Security exactly?
During the development of any application software, developers piece open source & proprietary libraries together. This software is further deployed on a platform towards making it available for end-user consumption. In this entire chain of design, development, and deployment there are various software packages being used with no means to corroborate their security. This leads to an architecture that is susceptible to attacks not only via traditional exploitation measures but also via indirect means such as utilizing political influence, blackmail, or even threats of violence against the developers who release such libraries
Given the multi-faceted nature of this problem, the approach we use towards securing the product also needs to be holistic. Merely defending the endpoints will no longer suffice. Right from the design & build stage, security considerations must be incorporated into the process towards ensuring extensive mitigation of the aforementioned attacks. This implies that anything affecting your code – libraries, operating systems, etc, as it passes from development to production will be accurately recorded & tracked so that appropriate monitoring & mitigation processes can be put into place.
A cultural shift?
While a quick Google search can list down the many efforts being taken towards developing appropriate tooling for this purpose, as with everything else, this calls for a cultural shift along with a technological one. Merely integrating available technology in a software supply chain will achieve very minimal results since this will always be an evolving space due to the nature of attacks & the scope involved. A shift in the mindset, as well as the ways of working, needs to accompany the ongoing advancements in tooling & technology.
Assuming shared responsibility
Much like DevOps, the onus of ensuring a secure supply chain doesn’t lie on one team or person alone. It is a shared responsibility and everybody in an organization should collaboratively work towards the end goal. Rather than security as an afterthought, it must be the focal point for every decision an individual/team makes throughout the cycle. Yes, that also includes tooling!
Every single package matters! This is also why every release iteration will require the packages involved to be recorded, analyzed, & monitored for any vulnerabilities. In the event of a vulnerability, there also needs to be a way to assess the impact and mitigate it as soon & effectively as possible. Doing this ad infinitum in a manual manner would be effort & resource intensive which is why there is a requirement for intelligent and automated tooling to be in place.
As the discipline of Chaos Engineering evolves, there is hope for sophistication in the sphere of supply chain attack simulation. Simulations help us discover further vulnerabilities within the existing processes/tooling in place & help us improve, should they occur in real-time because let’s face it; everything fails! How we deal with failure is what ultimately matters. Planning ahead for mitigation and remediation measures as an outcome of such simulations will only help make our supply chains more reliable.
What are the odds?
A four-fold increase in supply chain attacks is expected by the end of this year. Per the report published by the European Union Agency for Cybersecurity titled, Threat Landscape for Supply Chain Attacks, the sophistication and complexity of the attacks were only going to improve with time, thereby requiring equally intelligent & holistic measures towards securing them.
What are our options?
Glad you asked! There is a lot of work underway currently in various areas as detailed extensively in this document by Aeva Black. With efforts such as standardization frameworks, open-source projects, and companies like Chainguard Inc. towards revolutionizing the available tools, this is one space that will be seeing a rapid transformation in the coming years.