Organizations are feeling the pressure to integrate security into their software development lifecycles, and federal and industry mandates mean the days of security as a “nice to have” are officially over. Understanding the threats that can emerge across the entire software supply chain is integral to this effort. But assembling a complete DevSecOps strategy that governs how code, applications, and infrastructure are protected across the software supply chain is no easy feat.
What follows are a few of the biggest challenges that organizations should keep in mind while incorporating software supply chain security into their software development lifecycle.
The full attack surface is huge
Most modern cloud-native applications are developed using a multitude of open source and third-party components, creating a tangle of direct and indirect dependencies. But vulnerabilities in open source software, such as the Log4Shell vulnerability, are only one part of the software supply chain’s full attack surface.
Other potential attack vectors include flaws in in-house code, misconfigured CI/CD pipelines, secret information inadvertently committed to source code repositories, and even undiscovered vulnerabilities in web APIs. Recognizing all of the ways attackers can exploit the software supply chain is an overwhelming task — in fact, it’s impossible for teams to manually monitor all of these vectors, remediate the threats, and do their day jobs at the same time. DevSecOps teams should be aware of the broad categories of threats to watch out for and the tools and processes, such as version control, multi-factor authentication, and automated security scanning, that are effective at preventing or identifying attacks at each stage of the software supply chain.
Zero trust is easier said than done
The key to ensuring security during each step in the software supply chain is to enforce zero trust: essentially, scrutinizing everything and everyone, whether human, machine, open source component, or application configuration, for potential threats. IBM’s Cost of a Data Breach 2022 report found that investments in zero trust are paying off: Organizations that implemented zero trust saved nearly $1 million in average breach costs compared to organizations without zero trust. However, a majority of surveyed organizations had not yet deployed a zero trust security architecture, according to the report. It’s important to remember that zero trust is not a single product or service — it is a strategy applied to a security framework. For securing the software supply chain, that means enforcing zero trust principles at each step in the chain.
Launching a cyber attack is getting easier
Software supply chain attacks were once the domain of experienced cybercriminals who had the skills to identify and exploit vulnerabilities or to build and inject malicious software code into applications. However, today’s cybercriminals have the benefit of learning from their predecessors. Once a piece of malicious software is out in the world, attackers can reuse and modify it for their own purposes. The Mirai malware, for example, continues to live on even after its creators were caught and sentenced in 2018, with new variants emerging each year that continue to pose risks to vulnerable network devices. Today’s hackers also have a broader arsenal of malicious tools at their disposal, such as credential stealers and lateral movement tools, that make it easier than ever to launch software supply chain attacks.
Assess your organization’s threat landscape
Taking steps to recognize threat vectors in the software supply chain ensures that the software development lifecycle remains an engine of innovation and drives benefits for the business, rather than being a potential backdoor for attackers.
Download our field guide to better understand the types of threat vectors that can emerge at each stage of the software supply chain and how to mitigate those risks.