The age of software supply chain disruption

32

The software supply chain is fast becoming a widespread attack vector, and securing it now is in the spotlight. Attacks on software supply chains have reportedly become commonplace in 2022 dark trail.

Solar Winds, Kaseya and GitLab are just a few examples of organizations that have been vulnerable to attacks in recent years. We have also observed an increasing number of exploits, such as: log4j and Log4Shell that can have an impact billions of devices. What these instances have in common is that they exploit vulnerabilities in open-source software and third-party dependencies commonly used in the software delivery process – meaning that a corrupted package can have far-reaching implications for the entire tech industry.

I recently spoke to Doug Dooley, COO, Data Theorem, about the implications of today’s complicated software supply chains. “The software supply chain problem is bad, but it will only get worse in the next five years,” he said. According to Dooley, application security requires ongoing context about how the app performs at runtime in a software ecosystem—otherwise, gaping gaps in the bigger picture continue to be missed.

Understand disruptions in the software supply chain

Most people understand what a traditional product supply chain is – it encompasses all the components required to get a product to the end user, from raw materials through manufacturing and distribution to retail locations. But amid the pandemic and recent international conflict, we have seen how fragile that chain is. If you shut down any of these components, all consumers will feel the effects, leading to everything from gas hikes to baby food shortages. A whopping 61% of organizations have been hit by supply chain attacks 2021.

The supply chain for software can be thought of in a similar way – many components are involved between a software product and the end user. The developer writes code, integrates third-party libraries and frameworks, injects it into source code systems, pushes it into test environments, and finally deploys it to production. And DevOps often has an eye on this big picture.

“DevOps has emerged as one of the most powerful people in the industry,” said Dooley. “You can turn an entrepreneur’s idea into reality in the form of an application.”

The endangerment by third parties can lead to considerable disturbances in this work process mentioned above. This can take the form of insecure libraries, underlying cloud vulnerabilities, or API vulnerabilities, says Dooley. “Customers will embed APIs into the software stack — it’s a black box for them.” There’s also the potential for misconfigured S3 buckets to crop up all the time Expose millions of records. More serious Application security threats involve remote code execution, which can result in an adverse loss of control.

Why now?

So why the sudden spike in security incidents related to the software supply chain? After all, open source software, APIs, and third parties have been around for decades. Well, according to Dooley, there are several factors at play here.

For years, Silicon Valley’s mantra has been “Move fast and break things.” Take Netflix Engineering, for example, which is constantly developing and releasing its services Dozens of changes per day. According to Dooley, such rapid application development often means security is the following development rather than precede it or integrate into the process, à la DevSecOps. This could lead to what he calls an “ambulance chaser moment.”

The attack surface increases as the number of third-party providers and dependencies increases. The average company has 254 SaaS apps, productive data found. On the attacker side, too, we are seeing an increasing level of automation and sophistication. “You only have to get it right once on offense,” Dooley said. “The deck is stacked in favor of an attacker.”

strengthening the chain

The software supply chain problem is a complex problem that cannot be solved by a single measure. However, Dooley offered some tips for businesses to consider as they confront this broader issue:

  • Source code analysis and supplier management. It’s important to vet partners and have a process in place to audit new software by looking for common vulnerabilities and exposures (CVEs). But source code analysis falls short in many areas, Dooley admitted, as it’s unlikely you can view the source code behind Cloud API calls and production behavior doesn’t always match documentation.
  • Continuous monitoring of runtime security. New exploits are constantly being found. Therefore, organizations need a continuous defensive posture at runtime, even if they have been proven safe in development. Full-stack continuous detection must take into account many third-party components, such as SDKs, open source code, mobile apps, web services, cloud services, APIs, and identity and access management, explains Dooley.
  • Increased transparency with SBOMs. More widespread use of software bills of materials (SBOMs) will be critical to increasing transparency across the industry. Just as nutritional information describes the foods we eat, SBOMs spell out the internal makeup of software components. “We’re trying to get to a point where we can get more transparency into the software that we depend on,” Dooley said.
  • Fast vulnerability detection. Have a good grip on the attack surface. Organizations will want to gather an accurate inventory of what can be attacked.
  • Build protection around the “Crown Jewels”. Sometimes you need to prioritize which steps to take first. Dooley reiterated that securing applications associated with customer data is vital as these are the “crown jewels” – leaks here could have serious ramifications in terms of regulatory penalties and the brand’s reputation.

Caution: Heavy lifting required

“The moment you ship software, you’re taking a risk,” Dooley said. But at the same time, if you don’t create digital interfaces, you’re missing out on tremendous opportunities.

Code reuse and open source packages have become necessary to maintain agility and support the continuous release of digital products. “Even if you build everything from scratch, you’re still reusing a lot,” Dooley said. “Without it, you would never get to market.” While these tools enable unprecedented speed, we cannot overlook the potential vulnerabilities that can lie within the software supply chain.

With its unique window into the software delivery and automation process, the DevOps sphere will undoubtedly play a role in protecting this paradigm. “Let’s push for more transparency and disclosure,” Dooley said. “But don’t hang your hat on making your program great — if you really care about this issue, you’re going to have to lift some weight in the real world.”

Source link
#age #software #supply #chain #disruption

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.