2023-06-29 15:06:42
Co-founder and CTO of Sokube, Yann Albou is a recognized expert in the DevOps world. In an interview with ICTjournal, he explains why software supply chain security is becoming more important and recommends practices to better protect it.
What explains the growing attention paid to software supply chain security?
With the multiplication of attack vectors, the paradigm of the castle and perimeter security are a thing of the past. More and more companies are interested in and seek to adopt a cross-functional zero-trust approach. In this design, it is no longer just the network but all of the IT components that must be protected: nothing is a priori infallible, including what is internal to the company. It is a profound change at the human level and at the organizational level. Security becomes the concern of each and every element of the application chain, from design to production, and this involves identities, data, infrastructure, applications and now supply. software chain. There is indeed a desire to integrate security needs as far upstream as possible – shift left – so that security then spreads to production environments.
Isn’t the issue of the supply chain also linked to the fact that applications and architectures increasingly rely on third-party components?
Effectively. Companies evolve in rapidly changing environments, at the economic, health or even ecological level. They must be extremely reactive and focus on their business. At the IT level, we must therefore deliver well and quickly and rely on what is available on the market, starting with open source. Today, applications are largely made up of such components. The question of how to manage the security of these elements therefore arises for organizations.
What risks are organizations exposed to when faced with vulnerabilities in these components?
The impacts caused by vulnerable components are varied: data disclosure, malware, but also malfunctions or overconsumption of resources. First example, Log4shell, a very popular Java component whose vulnerability was suddenly revealed, and whose impact I might see with our customers. Organizations suddenly had to address two issues: how do I identify affected applications and how do I patch quickly? And they weren’t ready. A year following the vulnerability was revealed, 30% of downloads were still made on buggy versions. Second example, the npm Colors and Faker libraries, also very popular. Here it is not a vulnerability that has been revealed, but the developer who took care of these components who decided to sabotage them deliberately to wake up the community. Everyone indeed benefits from these components, but no one pays those who spend time developing them. For the record, the developer only broke the “in development” versions and not the validated versions. This did not prevent thousands of applications in production from being penalized…
Are organizations aware of these dangers?
It depends. A first category of companies has really become aware of this risk: they are raising awareness among their employees, reviewing their processes and implementing appropriate security solutions and governance. A second category of companies, although attentive to the issue, deal with problems in a targeted and ad hoc manner without calling into question the way in which they protect themselves. And of course, there is a third category of companies that are completely unaware of this issue. In the end, I will say that few companies deal with this risk in its entirety, and it does not depend on the sectors or the size of the organizations. It must be said that it is not obvious: it is not a natural approach to consider the supply chain as an attack vector.
What are your recommendations for securing the software supply chain?
As I said at the beginning, the company and the teams must become aware of the problem and of the new security paradigm with an upstream approach and a principle of least privilege. Then there are a number of technical measures to be implemented at the supply chain level. First publish its SBOM to list both application and system packages, regularly update its dependencies, ensure the immutability of the system and containers, have a minimalist approach to reduce the attack surface and ensure component integrity. It is also necessary to eliminate all the secrets of the containers, repositories and other VMs. It is also important to have a system that performs regular scanning both in the CI and in production, an isolation system for the registers in which we store our packages, with a promotion mechanism and different permissions and practices. depending on whether you are in dev, test or prod. I would also recommend setting up a GitOps system, a strong RBAC and observability tools including the software supply chain. Finally, it is necessary to strengthen the solutions of the software factory, which are often poorly configured. In conclusion, it is important to consider security holistically and to empower it as early as possible in the development chain. This subject is becoming more and more critical and emerging standards and frameworks such as SLSA make it possible to identify its level of maturity in this area.
1688089927
#Yann #Albou #Sokube #important #integrate #security #upstream
