Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Facebook X (Twitter) Instagram
    Tech Empire Solutions
    • Home
    • Cloud
    • Cyber Security
    • Technology
    • Business Solution
    • Tech Gadgets
    Tech Empire Solutions
    Home » Three ways to enhance software supply chain security
    Cyber Security

    Three ways to enhance software supply chain security

    techempireBy techempire1 Comment5 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email

    ReportJanuary 4, 2024Hacker NewsEthical Hacking/Vulnerability Assessment

    Software supply chain security

    Section 4 of the “Executive Order to Improve National Cybersecurity” introduced many people in the technology industry to the concept of the “software supply chain” and ensuring its security.If you make software and want to sell it to one or more federal agencies, you have Be aware of this. Even if you never plan to sell to the government, understanding your software supply chain and learning how to protect it will lead to a stronger security foundation and the benefits it provides. This article explores three ways to enhance software supply chain security.

    What is your software supply chain? It is essentially everything that goes into building software: from the IDE where developers write their code, to third-party dependencies, to the build system and scripts, to the hardware and operating system that runs the software. Instabilities and vulnerabilities can be introduced from inception to deployment and beyond, whether malicious or not.

    1: Keep your secrets

    Some of the biggest cybersecurity incidents of 2023 happened because of bad actors established The Secret of Pure Words. In this case, secrets are username and password combinations, API keys, signing keys, etc. The keys to these corporate kingdoms were found to be where they shouldn’t be.

    Sourcegraph was compromised when they released their code to a public instance that contained hard-coded access keys. The token is used to set up other accounts and give people free access to the Sourcegraph API. A hacker group gained access to Microsoft’s internal debugging environment and discovered a signing key in a crash dump that allowed them to create email credentials.

    Tools like GitGuardian allow you to check your code, whether legacy or cutting-edge, for accidentally releasing secrets or attempting to release them. It’s important to know which secrets may have been compromised, remediate them, and put safeguards in the form of automated tools and code reviews to ensure other keys are not compromised.

    2: Use SCA to help construct BOM

    In manufacturing, a bill of materials (BOM) is a comprehensive list of all raw materials, components, and instructions needed to build, manufacture, or repair a product or service. Cybersecurity regulations and best practices embrace the concept of a software BOM, which provides transparency and provenance of all parts of building software.

    But you cannot build a BOM from a declared dependency manifest.

    The combination of package repositories such as NPM, PyPI, and open source frameworks and libraries has been praised for making software development more efficient without having to reinvent the wheel. Instead, developers can find free software packages that implement the functionality they need and easily integrate them into their software.

    They also expose developers to a growing web of dependencies. You might find that it feels like you’re “torturing along the way” because you have dependencies that have dependencies that have dependencies… you might even have sub-dependencies on four different versions of the same package, all of which have different vulnerabilities .

    The software composition analysis tool automatically scans the project’s code base and identifies all external components you are using, including all turtles. They then perform checks to ensure these components are up to date, secure, and compliant with licensing requirements.

    Not only does this help identify which dependencies have known vulnerabilities so that you can update or replace them, but it’s helpful when you need to produce a clean BOM for inspection by potential customers and regulators.

    3: Self-attack

    Ethical hacking is older than recent computer science graduates. As stated in a recent webinar on ethical hacking, it is “the identification and exploitation of vulnerabilities in a computer system or network” Responsible and legal Please note the emphasis on “responsible” and “legal”.

    Essentially, ethical hacking uses most Use the same techniques as “black hat” hackers to find and exploit vulnerabilities in systems. The difference, which cannot be emphasized enough, is that they do so with permission. They stick with the systems they are allowed to hack and then document everything so that their findings can be replicated and analyzed by the team/client they report to.

    Although this usually occurs later in the development process, it is important. If they can determine your dependencies and perform their own SCA to identify vulnerable dependencies, it’s game over. If they can find an undefended entry point, it’s game over. If they test the web application and find that the debugging code prints confidential output in the console, it’s game over. Some vulnerabilities may come as a surprise, while others may require just removing a line of debugging code.

    Incorporating ethical hacking into the release process, joining a bug bounty program, etc. can ensure you fix issues before you have to apologize, report to regulators, and clean up.

    generalize

    Whether you’re trying to please regulators or customers, enhancing software supply chain security allows you to spend more time selling software and less time apologizing. While these three tips give you a good foundation, you can find more in the SLSA Security Framework. Operating the framework and ensuring supply chain security is (in the words of the SLSA website) “going from ‘secure enough’ to being as resilient as possible at any point in the supply chain”.

    Did you find this article interesting?follow us Twitter  and LinkedIn to read more exclusive content from us.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    techempire
    • Website

    Related Posts

    Ongoing campaign bombards businesses with spam emails and phone calls

    6 common mistakes organizations make when deploying advanced authentication

    New Chrome zero-day vulnerability CVE-2024-4761 is being actively exploited

    Microsoft patches 61 flaws, including two actively exploited zero-day vulnerabilities

    Dutch court sentences Tornado Cash co-founder to 5 years in prison for money laundering

    Migrate from VMware vSphere to Microsoft Azure

    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Mr. Meowski’s Bakery To Re-Locate In St. Charles MO

    Legal Pages
    • About Us
    • Disclaimer
    • DMCA
    • Privacy Policy
    Our Picks

    Gateway Studios High-Tech Recording Studio To Open In Chesterfield, Missouri

    Edufox

    Emerging Academic Education Platforms – Sponsored By Edufox

    Top Reviews

    Type above and press Enter to search. Press Esc to cancel.