Today’s software supply chains are complex and distributed. Learn about all of the different elements of the software supply chain and gain a deeper understanding of how they are vulnerable and how they must be secured against increasingly sophisticated cyberattacks.
A Software Supply Chain is the sum total of all the code, people, systems, and processes that contribute to development and delivery of software artifacts, both inside and outside of an organization. The technology elements of the software supply chain fall into two main groups.
The elements of an organization’s applications are its own source code, open source dependencies (such as libraries, frameworks, and modules), and software artifacts.
Applications that are built and deployed according to modern devops processes involve code repositories, CI/CD tooling, artifact repositories, secret managers, and Infrastructure-as-Code-Management (IaCM) pipelines.
The software supply chain is an expansive, complex, and highly connected system of technology, people, and processes. Each of its different entities– from devops tools to software artifacts– is vulnerable to attack in a myriad of ways, making the whole supply chain challenging to secure.
Software supply chain attacks are increasing in number and in sophistication. According to Gartner Research, a software supply chain attack is the act of compromising software or one of its dependencies at any stage throughout its development, delivery and usage. Although the precise attack vector may vary in each case, the attacker usually gains unauthorized access to development environments and infrastructure including version control systems, artifact registries, open-source repositories, continuous integration pipelines, build servers or application servers. This allows the attacker to modify source code, scripts and packages, and establish back doors to steal data from the victim’s environment. Attacks are not limited to external actors; they can come from insider threats as well. (Source: Gartner | How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks - 2021)
When it comes to security vulnerabilities in applications themselves, organizations’ codebases often contain known vulnerabilities whose detection and remediation are the main focus of DevSecOps and shift-left security practices. Modern applications are built with an increasing number of open source software dependencies, and over 80% of a codebase’s vulnerabilities are introduced through OSS dependencies. OSS is a significant security risk for organizations.
Though much of the supply chain security focus is on OSS dependencies, the elements of the DevOps toolchain are vulnerable and are also targets of supply chain attacks. Without proper code repo security, malicious code could be injected. Attackers could compromise poorly configured build infrastructure to use unauthorized source code, and a bad artifact could be introduced to a registry without the proper controls in place.
What does it take to secure the software supply chain? Initial efforts have been focused on establishing visibility and control of open source software (OSS) dependencies, which requires generating and managing Software Bills of Material (SBOMs). DevOps toolchain elements such as code repositories, CI/CD tooling, and artifact repositories all need to be scanned and assessed against industry-standard risk and compliance frameworks like CIS (Center for Internet Security) Supply Chain Security Benchmark, OWASP (Open Worldwide Application Security Project) Top-10 Security Risks for CI/CD.
Learn about how Harness Software Supply Chain Assurance (SSCA) module prevents software supply chain attacks.