Navigating Secure Software Supply Chains

Ransomware attacks have become commonplace in the news. Not only are people worried about their workplaces, but if your organization creates software systems that are used by your employees or customers, then you should also be concerned that your company is not creating new attack vectors and further exposing your company and your customers to additional reputational and financial risk.

The SolarWinds hack in 2020 was a major event not because a single company was breached, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government. Suddenly, every organization that produced, or used, software was terrified of their exposure.

Now, more than ever, it is vital that organizations be able to prove that what they have created is safe and secure. But how can that level of attestation be achieved? Through the use of a Secure Software Supply Chain (SSSC). Diverse organizations such as the Cybersecurity & Infrastructure Security Agency (CISA) and the Cloud Native Computing Foundation (CNCF) are calling for SSSC practices.

Much like the process of building a car on an assembly line, the supply chain is a process of getting a software product to the customer. The process of creating a SSSC has become necessary for modern software delivery. The two core concepts are a chain of custody and establishing trust.

The chain of custody is the process of following materials through every step of the supply chain as they go through various stages of sourcing, construction, validation, packaging, and releasing. This is done through a series of procedures using various technologies, all of which must consume and produce relevant Software Bills of Materials (SBOMs). None of which should be manual.

Establishment of trust is the mechanism that demonstrates that each step in the process has been secured. This ensures that the elements (code, artifacts, libraries) that are in your SBOM’s, are the only things in your SBOM’s and have not been tampered with.

These techniques, built into an automated CI/CD pipeline, and combined with a robust Cloud Infrastructure as Code (IaC) model as well as management of container based images (for those using containers, and why wouldn’t you?) will give the organization an enhanced degree of certainty that what is being published to the customers is what was built and validated and thus safe and secure. Needless to say that this approach doesn’t eliminate the need for security testing and monitoring, but it is a proactive way of managing security risk. Eliminating issues proactively is always cheaper.

When it comes to implementation, there is no one size fits all approach. SSSC practices and tools are still in their early stages. This means that there are many different ways to implement SSSC while staying true to the principles. At Idea Harbor we help customers tailor their SSSC implementation to their specific technical stack and processes. Give us a call and let’s talk about how your organization can improve with proof.