Secure Software Supply Chain – Cybersecurity Expert Series

Today, organizations of all sizes rely on a diverse range of systems and software, encompassing open-source components, commercial applications, proprietary software, virtual networks, and cloud technologies.

With growing dependence on these diverse ecosystems, Gartner predicts that by 2025, 45%of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021.

In this episode of the NextLabs Cybersecurity Expert Series, Brian Gallagher, CEO and founder at Codelock, will cover protecting the software supply chain with secure software development practices. Read his insights below or watch the full Q&A video on YouTube.

Q1: What makes a software supply chain secure and why is it important for software development?

Most people think that software is written one line at a time by a single person in a single location. This is a misconception. A report from GitHub states a whopping 97% of applications leverage open-source code, and 90% of companies are applying or using it in some way. A software supply chain can refer to this open-source code, which was developed by another unknown resource, or it could be a contractor or outsource development shop doing the work for you.

The point that I’m trying to make is that a component of your finished product was built someplace else out of your control, and you as the final software publisher required to make sure that the final product is safe and secure for your users. So, a software supply chain should include elements such as ensuring the source code remains up to date and unaltered throughout the development process by unauthorized modifications or changes. You need to protect your code repositories within your organization from unauthorized access and tampering while having oversight up and down your software supply chain. Implementing strong authentication mechanisms and access controls to limit who can make changes to the code or access sensitive components. You should always know that the person committing code to your repository, isn’t the same person who was the one who made the change and issued those credentials in the first place. So why is all this important? This mitigates security vulnerabilities by identifying both known and unknown threats before they reach your customers. This will reduce the risk of malicious attacks. In fact, software supply chain attacks have increased over 700% in the last three years, costing companies on average over $4 million per attack. A secure software supply chain will reduce personal and corporate liability, as well as protect your company’s profits while ensuring the protection of your reputation.

Q2: How do we ensure that software components are genuine and safe during the supply chain process?

Software security should start by locking every line of code at the time of creation. In a sense, all software code should be locked throughout the complete software supply chain. We can easily accomplish this by ensuring that the proper authentication of each developer through a multi factor authentication process and by adding a secure code signing feature that follows the software through its development lifecycle by using advanced cryptographic signatures. You can verify the authenticity of software components, ensuring that they have not been tampered with. Your organization should be capable of producing a software bill of materials, which is also known as an SBOM, that will allow for dependency component verification. Secure software development audits should be conducted regularly to ensure that all supply chain components are legitimate and safe, and that your organization is in compliance with government regulations and standards. Throughout this process, you should always use continuous monitoring that includes features such as real-time scanning for threats and vulnerabilities, anomaly detection to identify unexpected or malicious changes in software, and you should also analyze your data, highlighting the behavior of your developers and the software for unusual activities that may indicate security concerns.

Q3: What is DevSecOps and how can it help in keeping software supply chains secure?

DevSecOps is the principle of combining three different parts of the software development process into one single focus. This includes the actual writing of the code, which is the dev, for development, the securing of the software, which is the sec, for security, and the operational components of releasing the software, which is the ops. You put all three together. What do you get? DevSecOps. This is a fundamental change in how software has been developed, which has resulted in making software and their supply chains more secure. Historically, security would be considered after the software was finished, if even at all, and any threats or vulnerabilities found would be costly to go back and change.

With DevSecOps security is considered at the time of the original development and release. New tools allow for the automation of security and testing to identify and address issues early in the development cycle. Collaboration among development, security, and operations teams encourage cross-functional collaboration, resulting in multiple benefits for your organization. Some of these benefits include cost savings from early vulnerability detection and mitigation; continuous monitoring, which will provide real time insights into the security and operational status of your supply chain; having rapid response to security threats, minimizing the organization’s downtime during an unfortunate incident. Finally, DevSecOps can help organizations maintain compliance and security standards and regulations by incorporating security checks and controls into the beginning of the development process.

Q4: How does continuous monitoring and real time analysis empower organizations to safeguard their software against emerging threats?

Real time analysis includes the detection of anomalies and suspicious activities in identifying unusual network traffic patterns. By continuously monitoring your code, you can allow for early threat identification and proactive risk mitigation by detecting unauthorized changes to your code. This allows for a more effective response mechanism like adaptive response or rapid reaction to threats and automated alerts and responses, which take the guesswork out of threat detection.

As an example, when the solar winds attack occurred, it took over 300 days to detect the intrusion and find the threat resulting in billions of dollars of damage to companies and our economy. Popular containment strategies for hackers include the quick neutralization of emerging threats to reduce the harm that these hackers will cause. By enabling enhanced visibility and understanding through comprehensive system status monitoring and behavior pattern recognition, you can monitor your developer’s profile using new AI capabilities. As an example, if your developer works, say, Monday through Friday in Ashburn, Virginia, but suddenly logs on at 2 a.m. from Russia, you can be reasonably sure that’s not your developer and act appropriately. Data driven approaches like analyzing insights for security improvements assist in the anticipation of future threats, allowing you to take preventive action. Remember, it’s not only about locking the front door, it’s also about having motion detection inside the building once the bad guys get in.

Thank you for reading our latest Cybersecurity Expert Series article, to watch the video version, visit our Youtube channel.