Threats to the software supply chain are forcing a sea change in DevOps. Organizations are feeling internal pressure to embed security deep into their software development life cycles and external pressure to comply with numerous federal and industry mandates. What is emerging is a DevSecOps strategy that helps govern how code, applications, and infrastructure are protected across the software supply chain.
The pairing of DevSecOps with software supply chain security also ensures that, where possible, automation will be used to make processes repeatable, increasing security and reducing the opportunity for human error or malicious activity.
This comprehensive guide provides deeper dives into all the aspects of software supply chain security so make sure to follow the embedded links.
The need for software supply chain security
Securing code is not a new concept. However, promoting security early on in the development life cycle is. The movement to shift security left has taken off, and “sec” is becoming part of the DevOps culture, morphing the concept wholly into DevSecOps.
Along with this evolution has been an increase in outside pressure – as formidable as the federal government – to batten down software supply chains so that large attacks such as the SolarWinds hack of 2020 won’t threaten the nation’s critical infrastructure and cause unmitigated damage.
Essentially, businesses must figure out how to meld their development, security, and operations teams internally while complying with numerous mandates from external organizations.
Learn more about the key trends driving software supply chain security:
Integrating sec into DevSecOps
The first step in securing the software supply chain is to create a cohesive DevSecOps approach to software development. In doing so, organizations can expand security in DevOps beyond basic tasks and better understand myriad threat vectors.
Security in the modern DevOps solution goes beyond just shifting security features left to empower the developers to find and fix security flaws, but also provides end-to-end visibility and control over the entire SDLC to create, deliver, and run the applications.
Teams that integrate security practices throughout their development process are 1.6 times more likely to meet or exceed their organizational goals, according to the Google Cloud DevOps Research and Assessment (DORA) “Accelerate State of DevOps 2021 Report”.
Some best practices elite DevSecOps teams use are:
- Apply common controls for security and compliance
- Automate common controls and CI/CD
- Apply zero-trust principles
- Inventory all tools and access, including infrastructure as code
- Consider unconventional scale to find unconventional vulnerabilities
- Secure containers and orchestrators
Understanding federal and industry mandates
The Biden administration has been singular in its demand that federal agencies and their vendors make significant improvements in software supply chain security.
That sense of urgency has trickled down to the standards bodies, including the National Institute of Standards and Technology (NIST) and its Secure Software Development Framework, the Cybersecurity and Infrastructure Agency’s work on Software Bill of Materials standards, and SLSA, a cross-industry collaboration on a security framework to secure the supply chain.
Compliance officers within organizations are looking to DevSecOps teams to make it easy for them to audit the development life cycle and attest to requirements in these mandates.
How a DevOps platform helps
In our 2022 Global DevSecOps survey, respondents overwhelmingly told us that secure software development is now an imperative for their organization and that they believe security is the top reason to deploy a DevOps platform.
A DevOps platform can certainly help protect against software supply chain attacks. Here are some examples how:
-
End-to-end visibility and auditability: Who changed what, where, and when.
-
Consistent application and administration of policies: Both what policies are used where, and the actions taken for exceptions
-
More intelligent response through greater end-to-end context
-
Reduced attack surface of a simplified toolchain
DevOps platforms can even support more sophisticated software supply chain security techniques such as securing pipeline builds with code signing. Code signing is an area of interest to standards bodies setting requirements for protecting software supply chains.
GitLab’s strengths in software supply chain security
GitLab has been at the leading edge of DevSecOps, helping organizations to evolve their security practices from traditional application testing.
For instance, rather than being performed by security pros, using their own tools, at the end of the development cycle, security testing is automated within the CI pipeline with findings delivered to developers while they are still iterating on their code. Read how GitLab is also revolutionizing CI and security, and remediation practices.
GitLab is laser-focused on enabling organizations to establish and manage security and compliance guardrails that allow developers to run fast while also managing risk, including the introduction of continuous compliance and policy engines, as well as automated attestation and SBOMs.
The GitLab partner ecosystem helps the platform to meet even more security needs, including generating SBOMs automatically and protecting software from malicious modules.
More on GitLab’s software supply chain security vision can be found here. And learn even more about securing the software supply chain as GitLab Field CTO Lee Faus answers some burning questions:
