Section 4 of the “Executive Order to Improve National Cybersecurity” introduced many people in the technology industry to the concept of the “software supply chain” and ensuring its security.If you make software and want to sell it to one or more federal agencies, you have Be aware of this. Even if you never plan to sell to the government, understanding your software supply chain and learning how to protect it will lead to a stronger security foundation and the benefits it provides. This article explores three ways to enhance software supply chain security.
What is your software supply chain? It is essentially everything that goes into building software: from the IDE where developers write their code, to third-party dependencies, to the build system and scripts, to the hardware and operating system that runs the software. Instabilities and vulnerabilities can be introduced from inception to deployment and beyond, whether malicious or not.
1: Keep your secrets
Some of the biggest cybersecurity incidents of 2023 happened because of bad actors established The Secret of Pure Words. In this case, secrets are username and password combinations, API keys, signing keys, etc. The keys to these corporate kingdoms were found to be where they shouldn’t be.
Sourcegraph was compromised when they released their code to a public instance that contained hard-coded access keys. The token is used to set up other accounts and give people free access to the Sourcegraph API. A hacker group gained access to Microsoft’s internal debugging environment and discovered a signing key in a crash dump that allowed them to create email credentials.
Tools like GitGuardian allow you to check your code, whether legacy or cutting-edge, for accidentally releasing secrets or attempting to release them. It’s important to know which secrets may have been compromised, remediate them, and put safeguards in the form of automated tools and code reviews to ensure other keys are not compromised.
2: Use SCA to help construct BOM
In manufacturing, a bill of materials (BOM) is a comprehensive list of all raw materials, components, and instructions needed to build, manufacture, or repair a product or service. Cybersecurity regulations and best practices embrace the concept of a software BOM, which provides transparency and provenance of all parts of building software.
But you cannot build a BOM from a declared dependency manifest.
The combination of package repositories such as NPM, PyPI, and open source frameworks and libraries has been praised for making software development more efficient without having to reinvent the wheel. Instead, developers can find free software packages that implement the functionality they need and easily integrate them into their software.
They also expose developers to a growing web of dependencies. You might find that it feels like you’re “torturing along the way” because you have dependencies that have dependencies that have dependencies… you might even have sub-dependencies on four different versions of the same package, all of which have different vulnerabilities .
The software composition analysis tool automatically scans the project’s code base and identifies all external components you are using, including all turtles. They then perform checks to ensure these components are up to date, secure, and compliant with licensing requirements.
Not only does this help identify which dependencies have known vulnerabilities so that you can update or replace them, but it’s helpful when you need to produce a clean BOM for inspection by potential customers and regulators.
3: Self-attack
Ethical hacking is older than recent computer science graduates. As stated in a recent webinar on ethical hacking, it is “the identification and exploitation of vulnerabilities in a computer system or network” Responsible and legal Please note the emphasis on “responsible” and “legal”.
Essentially, ethical hacking uses most Use the same techniques as “black hat” hackers to find and exploit vulnerabilities in systems. The difference, which cannot be emphasized enough, is that they do so with permission. They stick with the systems they are allowed to hack and then document everything so that their findings can be replicated and analyzed by the team/client they report to.
Although this usually occurs later in the development process, it is important. If they can determine your dependencies and perform their own SCA to identify vulnerable dependencies, it’s game over. If they can find an undefended entry point, it’s game over. If they test the web application and find that the debugging code prints confidential output in the console, it’s game over. Some vulnerabilities may come as a surprise, while others may require just removing a line of debugging code.
Incorporating ethical hacking into the release process, joining a bug bounty program, etc. can ensure you fix issues before you have to apologize, report to regulators, and clean up.
generalize
Whether you’re trying to please regulators or customers, enhancing software supply chain security allows you to spend more time selling software and less time apologizing. While these three tips give you a good foundation, you can find more in the SLSA Security Framework. Operating the framework and ensuring supply chain security is (in the words of the SLSA website) “going from ‘secure enough’ to being as resilient as possible at any point in the supply chain”.
