Software supply chain attacks are becoming more frequent and introducing bigger consequences. This highlights the need for a structured response by policymakers and the security community, which is now in development. But organizations can implement their own software supply chain security strategies as well.
What Is the Software Supply Chain?
The software supply chain consists of code and binaries, and the development teams, tools, and processes involved in building, packaging, and deploying applications. Modern software development has made the supply chain increasingly complex. Reasons for this include:
- Product innovation: Consumers today expect cutting-edge products, which drives software vendors to deliver more innovation.
- External services: Organizations now outsource elements that are not core to their business, such as payment, navigation, and translation.
- New technology: New operating systems, processors, and graphic chips increase the complexity of software.
- Practices: Modern practices like agile development, CI/CD, and DevOps have together accelerated the pace of product delivery.
- Code: Code used to build an application contains many ingredients, including custom code, open source dependencies, build and packaging scripts, containers, and infrastructure.
These elements combined create complex software supply chains, which are an attractive attack vector and target for malicious actors.
Software Supply Chain Attacks
Attackers use malicious code in an "upstream" component in the software supply chain with the goal of compromising the target of the attack: the "downstream component." Any link in the software supply chain can be compromised, but current research highlights three main targets: dependencies, pipelines, and the combination of both — pipeline dependencies.
Application dependencies — open source packages or container images — introduce vulnerability. Attackers insert malicious code into publicly accessible packages, and that code is automatically downloaded by unsuspecting developers.
Development pipelines used to build and release software can also be compromised. Attackers inject malicious code into the code itself defining the build process — such as CI scripts or build tooling configurations. Then attackers can use the build pipeline to distribute malicious code to downstream consumers.
External dependencies within the build pipeline, such as third party plug-ins, tooling binaries, or the build environment itself, can also be targeted by attackers.
Best Practices for Software Supply Chain Security
These best practices can improve security around your own software supply chain.
—Use SCA and SAST
Software composition analysis (SCA) tools help you integrate security testing early and throughout the software development process to mitigate risk in open source packages being pulled into an application (including transitive dependencies). SCA tools also detect open source software licenses to help organizations ensure compliance with legal requirements.
Static application security testing (SAST) tools check custom code for security issues. Using a SAST tool can inform you of the risks resulting from the combination of supply chain components and your custom code.
—Secure Your Containers
Base images from trusted providers should be free from malicious software, but still often have vulnerabilities in the Linux packages and developer tools they supply. A container security tool can help mitigate risk in a container image, and should also identify application components inside containers, especially in cases where direct access to the source code is not an option.
—Utilize the SBOM
A software bill of materials (SBOM) provides details on all components included within a supplied product: open source dependencies, containers, and build tools. Generate and maintain SBOMs to track your third-party dependencies, tools, and sources. Always require an SBOM from third-party vendors before or during procurement of new software, and routinely scan it for security risks.
—Manage Source Code Carefully
Source code management systems (SCM), like GitHub or Atlassian Bucket, are the central hub for an organization's software development. Modern SCMs provide specialized features and configuration settings, such as access policy controls and branch protection, that can be leveraged to harden security. These mechanisms are not always enabled by default and must be explicitly set.
—Secrets and Credentials
Today's workflows use different types of credentials for access control, including encryption keys, SSH keys, and API tokens. When exposed, these credentials can be used by attackers. To mitigate risk, use a secret management tool to store and encrypt secrets and enforce access controls. Scan source code repositories to ensure secrets are not committed by mistake, automate service account rotation for credentials, and assign restrictive permissions to tokens.
—Implement DevSecOps Practices
DevSecOps integrates security practices into a DevOps model. The key element of DevSecOps is to integrate security as early as possible, and throughout, the life cycle of software development. DevSecOps is a continuous cross-team effort and cannot be achieved without a deep change in organizational culture.
Keep Your Software Supply Chain Secure
Software supply chain attacks will likely increase in both frequency and complexity, affecting more organizations and exacting a growing cost. However, with careful planning and implementation of best practices, organizations can move toward a much more secure software supply chain.
About the Author
Mic McCully is a Field Strategist at Snyk with a focus on modern application security. In his role as a Field Strategist, Mic spends his time sharing the Snyk vision and strategy while also gathering and collecting insight of security priorities from the market. His background spans over 27 years in the software industry with close to 17 years of that focused on the security space.