Source: Zoonar GmbH via Alamy Stock Photo
COMMENTARY
From the attempted backdoor in XZ Utils to the takeover and subsequent malware distribution in the Polyfill JS project, software supply chain attacks are challenging the DevSecOps community and can surprise even the most seasoned professionals. These incidents have underscored the inevitability of such threats and their potential for disastrous consequences.
Organizations must bolster their resilience by emphasizing three critical components within their software build environments: visibility, governance, and continuous deployment. By focusing on these areas, organizations can enhance their defenses and reduce the time it takes to recover from the next cyberattack.
Visibility: Establishing State in Dynamic Systems
What a security practitioner can know about the software systems they defend is finite and temporary. The information that informs operations are snapshots of highly dynamic and complex computing systems, while the snapshots of security controls serve as a point-in-time reference to the state of security. Artificial intelligence is changing some security controls to be more dynamic and adaptable, but the vast majority of security boundaries today are static or heuristic-based.
Conversely, the number of unknowns in large-scale computing environments is almost unlimited at any given moment. Code is updated hundreds to thousands of times daily, infrastructure changes can erase previously defined security boundaries, and upstream dependencies can have massive security implications.
To prepare for the next exploit, security professionals must have a real-time understanding of their environments and decrease the number of unknowns. For example, using a software bill of materials (SBOM) is crucial for commercial and open source software (OSS) alike, as it provides a comprehensive inventory of components used in software and enables rapid identification of vulnerable components when new threats emerge. Inventories should serve as the canonical source for any asset, supporting indexing, extensible APIs, and queryable interfaces to maximize their utility and value.
Understanding the age of an organization's software can also help inform security approaches. Older services are subject to more third-party attacks or vulnerabilities because they aren't deployed as often or maintained as frequently. On the other hand, new software is more prone to "first-party" issues such as business logic flaws or, less commonly, entirely new attack classes. Combining new and old software can introduce risk with the assumptions of security boundaries that have been redefined or are no longer effective.
Governance: Managing Software Supply Chains
Understanding an organization's software systems is not enough. Good governance — the framework of policies, processes, and controls ensuring secure practices, with oversight from leadership — is essential for consistent maintenance of security measures and accountability throughout the software life cycle.
There are several considerations for building secure-by-design software:
Building reproducible software and maintaining per service metrics for software security assurance
Performing checks to ensure security boundaries are functioning as expected
Utilizing prebuilt infrastructure-as-code design patterns
Building SBOMs capable of being leveraged by security operations and vulnerability alerting teams and tooling
Automating security checks to ensure secure-by-default principles are adhered to
Integrating AI validation in the SDLC to improve efficiency, reduce errors, and provide deeper insights into the development process
Implementing policy-as-code to automate the management and enforcement of security policies across cloud services, applications, networks, and data, ensuring consistent and comprehensive security coverage
Designing security boundaries that constrain failure domains by design
Organizations might also consider establishing an open source program office (OSPO) for greater OSS security. These teams manage OSS use, oversee security practices, foster relationships with the open source community, stay up to date on the latest security and compliance developments, and monitor open source component reliability and security.
Continuous Assessment: Anticipating the Unknowns
Continually testing and monitoring an environment is crucial to organizational resilience in the face of software supply chain security vulnerabilities. Continuous deployment — where code changes are automatically tested and deployed to production as soon as they pass automated tests, sometimes hundreds or thousands of times per day — goes beyond continuous integration and delivery by automating the entire deployment process to improve software quality and accelerate delivery. However, continuous deployment is only possible when visibility and governance components are in place.
Many developers hate writing tests, and test coverage is almost always lower than teams would like it to be if they had the time. Comprehensive test coverage, including unit and integration tests, ensures that every part of an environment is checked for errors in isolation and when interacting with other components. This is an area where generative AI (GenAI) can greatly assist with automating or accelerating the boring work. This benefits engineering teams not just with velocity but by continuously attesting to the security and resilience of their software.
Automated security boundary checking likewise verifies that security perimeters are tight and well-maintained, acting as a first line of defense against potential breaches. Monitoring production environments is also key to catching discrepancies or unexpected behaviors that might indicate a security issue. Finally, continuous programmatic discovery is crucial for keeping inventories complete and consistent.
Building Resilience Against the Unknowns
The test of cyber resilience is an organization's ability to adapt and evolve its security posture to stay ahead of the next security threat. To prepare, security professionals must ensure their software ecosystem is well-instrumented for effective response and resilience, minimizing the exposure window from identification to remediation.
By understanding through visibility, managing through governance, and anticipating through continuous deployment, organizations will be better prepared for the next supply chain attack.