Improve security by building software supply chain resilience

From the attempted backdoor attack in XZ Utils to the takeover and distribution of malware in the Polyfill JS project, software supply chain attacks pose a real challenge to the DevSecOps community. These incidents, which can surprise even the most seasoned professionals, have highlighted the inevitability of these threats and their potentially disastrous consequences.

Companies must then build resilience by emphasizing three essential elements in their software creation environments: visibility, governance and continuous deployment. It is by focusing on these areas that organizations will be able to strengthen their defenses and reduce the time it takes to recover from cyberattacks.

Visibility: Determining state in dynamic systems

Security experts have limited and temporary knowledge about the software systems they defend. While the data that powers operations are representations of highly dynamic and complex IT systems, representations of security controls are themselves a point-in-time reference to the state of security.

adaptable. However, the vast majority of security perimeters today are static or based on intuitive approaches.

Conversely, the number of unknown variables in large-scale computing environments is unlimited. While code may be updated hundreds or even thousands of times per day, infrastructure changes can erase previously defined security perimeters. It is therefore possible that prerequisite dependencies have significant security implications.

To prepare for the next incident, security professionals must have a real-time understanding of their environment and reduce the number of unknowns. For example, the use of a software bill of materials (SBOM) is crucial for both commercial and open source software (OSS). Indeed, it provides a complete inventory of components used in software and allows you to quickly identify those that are vulnerable when new threats appear. To maximize their utility and value, inventories should serve as the primary source for each asset, supporting indexing, extensible APIs, and iQueryable interfaces.

Understanding an organization’s software maturity level can also help develop security strategies. Because they are not deployed as often or maintained as frequently, older systems are more susceptible to third-party attacks or vulnerabilities. On the other hand, new software is more prone to so-called “first-party” problems, such as flaws in the business logic or, more rarely, attacks of an entirely new type. Furthermore, the combination of new and old software can lead to risks due to the coexistence of security perimeters that have been redefined or are no longer effective.

Governance: For software supply chain management

Understanding an organization’s software systems is no longer enough. Having good governance in place, with a framework of policies, processes and controls ensuring safe practices, often under management oversight, is essential. Indeed, it ensures the consistent maintenance of security measures and accountability throughout the software life cycle.

Several elements must be taken into account to create secure software by design (security-by-design) :

• Build reproducible software and maintain “per service” measures to ensure its security.
• Perform checks to ensure security perimeters are operating as intended.
• Use pre-established “infrastructure-as-code” (IaC) design patterns.
• Build SBOMs capable of being exploited by teams and alert tools on security operations and vulnerabilities.
• Automate security checks to ensure default security principles are followed.
• Integrate AI validation into the SDLC to improve efficiency, reduce errors, and provide deeper insights into the development process.
• Implement policy-as-code (or policies as code) to automate the management and enforcement of security policies across cloud services, applications, networks and data. This helps ensure consistent and comprehensive security coverage.
• Design security perimeters that demarcate areas of risk from the design stage.

Businesses may also consider implementing a Open Source Program Office (OSPO) to strengthen the security of open source software. The teams integrated into this office are responsible for managing the use of open source software, overseeing security practices, and maintaining relationships with the open source community. Their mission is also to stay informed of the latest developments in security and compliance, and to monitor the reliability and security of open source components.

Continuous evaluation: anticipating the unknowns

Continuous testing and monitoring of an environment is critical to an organization’s resilience to vulnerabilities that challenge software supply chain security. Continuous deployment allows code changes to be tested automatically and deployed to production as soon as they pass automated testing, up to hundreds or thousands of times per day. This approach goes beyond integration and continuous delivery. Indeed, by automating the entire deployment process, this method makes it possible to improve the quality of software and accelerate delivery. However, continuous deployment is only possible when visibility and governance modules are put in place.

Many developers hate writing tests. In addition, the scope of testing is often less than that desired by the teams. Comprehensive test coverage, including unit and integration testing, ensures that each part of an environment is checked for errors in isolation and when interacting with other components. Here, Generative AI (GenAI) can go a long way in automating or speeding up tedious work. This way, engineering teams can gain speed, but also permanently guarantee the security and resilience of their software.

Automated monitoring of security perimeters also makes it possible to verify that they are impenetrable and well maintained. This is a first line of defense against potential vulnerabilities. Monitoring production environments is also essential to detect anomalies or unexpected behavior that could signal a security issue. Finally, ongoing programmatic discovery is essential to keep inventories complete and consistent.

Building resilience in the face of the unknown

Cyber ​​resilience is an organization’s ability to adapt and evolve its security posture to stay ahead of the next threat. To prepare, security professionals must ensure their software ecosystem is well instrumented for effective response and resilience, minimizing the window of exposure from identification to remediation.

By improving understanding through visibility, managing through governance, and anticipating through continuous deployment, organizations will be better prepared for the next software supply chain attack.