The increased regulatory and legal pressure on software organizations to protect their supply chains and ensure the integrity of their software should come as no surprise. In the last few years, the software supply chain has become an increasingly attractive target for attackers who see an opportunity to forcefully multiply their attacks on orders. For example, look no further than the Log4j breach in 2021, where Log4j (an open source logging framework supported by Apache and used in a wide variety of applications) was at the root of exploits that compromised thousands of systems.
Log4j’s communication functionality was vulnerable and thus allowed an attacker to inject malicious code into the logs, which could then be executed on the system. Since its discovery, security researchers have seen millions of exploit attempts, many of which turned into successful denial-of-service (DoS) attacks. According to some of Gartner’s latest research, by 2025 nearly half of enterprise organizations will be the target of an attack on their software supply chain.
But what is a software supply chain? For starters, it’s defined as the sum total of all the code, people, systems, and processes that contribute to the development and delivery of software artifacts both inside and outside the organization. And what makes software supply chain security so challenging is the complex and widely distributed nature of today’s application development. Organizations have global development teams that rely on an unprecedented number of open source dependencies, as well as the breadth of code repositories and artifact registries, CI/CD pipelines, and infrastructure resources used to build and deploy their applications.
And while security and compliance are always top concerns for enterprise organizations, the challenge of securing an organization’s software supply chain is becoming more and more serious. Many organizations are making significant progress in implementing DevSecOps practices, but many are still in the early stages of figuring out what to do.
That is why we have put together this article. While the following list is by no means exhaustive, here are four guidelines to help steer your software security efforts in the right direction.
Consider all aspects of your software supply chain when applying security
Given that over 80% of code bases have at least one open source vulnerability, it’s understandable that OSS dependencies have been central to software supply chain security. However, today’s software supply chains encompass other actors whose security postures are either overlooked or not understood widely enough within the organization to be properly managed. These facilities are code repositories, CI and CD pipelines, infrastructure, and artifact registries, each requiring security controls and regular compliance assessments.
Frameworks such as OWASP Top 10 for CI/CD and CIS Software Supply Chain Security Benchmark. Adherence to these frameworks will require granular RBAC, application of the principle of least privilege, scanning of containers and infrastructure as code for vulnerabilities and misconfigurations, isolation of assemblies, integration of application security testing, and proper secret management, to name a few.
SBOMs are very important for troubleshooting zero days and other components
Part of Executive Order 14028, issued by the White House in mid-2021 to strengthen the nation’s cybersecurity, requires software manufacturers to provide their federal customers with a software bill of materials (SBOM). SBOMs are essentially formal records designed to provide visibility into all the components that make up the software. They provide a detailed, machine-readable listing of all open source and third-party libraries, dependencies, and components used to build the software.
Whether an organization is bound by EO 14028 or not, creating and managing SBOMs for software artifacts is a valuable practice. SBOMs are an indispensable tool for fixing component issues or zero-day vulnerabilities. When stored in a searchable repository, SBOMs provide a map of where a particular dependency exists and allow security teams to quickly track vulnerabilities back to affected components.
Manage the software development lifecycle with code quality policies
In today’s world of application development, robust fencing is an important tool for eliminating errors and intentional actions that compromise security and compliance. Good governance throughout the software supply chain means that it is easy for an organization to do the right thing and very difficult to do the wrong thing.
While many platforms and tools offer standard policies that can be quickly executed, Policy as Code, based on the industry standard Open Policy Agent, allows you to create and enforce fully customizable policies. Policies that govern everything from access privileges to allowing or denying the use of OSS dependencies based on criteria such as vendor, version, package URL, and license.
Be able to verify and ensure the trust of your software artifacts with SLSA
How can users and consumers know that the software is trustworthy? When determining the reliability of a software artifact, you want to know who wrote the code, who created it, and what development platform it was created on. You also need to know what ingredients are in it.
Deciding whether to trust the software is possible after checking the provenance – the record of the software’s provenance and chain of custody. For this, Supply Chain Levels for Software Artifacts (SLSA). was created. It gives software organizations the ability to capture information about any aspect of the software supply chain, verify artifact properties and builds, and reduce the risk of security issues. In practice, it is important for software organizations to adopt and adhere to the requirements of the SLSA framework, and to implement a means of verifying and generating software attestations, which are validated statements (metadata) about software artifacts throughout the software supply chain.
Given the size and complexity of securing today’s software supply chain, the above recommendations only scratch the surface. But like everything else in the world of building and deploying modern applications, the practice is evolving rapidly. To help you get started, we recommend reading How to deliver software securely – e-book full of best practices aimed at strengthening your security and minimizing risk to your business.
