What You Can Do Now to Manage Your Software Supply Chain Risk
While the Log4j crisis that kept everyone busy over the holidays was a wake-up call for many, mitigating it does not solve the larger issues of supply chain attacks. It’s more important than ever to put practices in place to manage your supply chain risk. Supply chain breaches continue to be discovered. Just after the new year, for example, researchers at Palo Alto Networks detected a software supply chain campaign infecting Sotheby’s real estate websites with data-stealing skimmers. The campaign was distributed via a Brightcove cloud-video platform instance.
It’s no longer enough just to protect your perimeter. To build trust into your software, it’s crucial that you secure your software supply chain. The first step in that process is to inventory your software supply chain by building a software bill of materials (SBOM). The process of creating a SBOM involves much more than just an inventory. Building a SBOM means investigating how your software was built, configured and deployed. When you know what you have, where it came from, who is maintaining it, when it should be patched and whether that patching was done, you increase your organization’s ability to perform automated vulnerability remediation.
Build a Software Supply Chain Risk Management (SSCRM) Program
Building an accurate SBOM is the core activity developers should undertake, but it is only the beginning of a solid SSCRM program. The U.S. National Institute of Standards and Technology (NIST) has developed a Cybersecurity Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework that provides recommendations about how to manage supply chain risk. This framework defines parameters for implementing a comprehensive risk management program and a formal C-SCRM program.
A comprehensive risk management program should be integrated across your entire organization. Your plan should identify and manage critical software components and suppliers, and also account for their entire life cycle.
NIST recommends the following steps to implement a risk management program:
- Identify key business goals and processes that drive revenue.
- Create an inventory of current and future software licenses.
- Research and document how software licenses are supported by their suppliers.
- Understand how your software supports key processes.
- Create a plan to address software for which a vulnerability is disclosed.
When it comes to supply chain security, NIST recommends that you make sure that your software vendors:
- Adhere to secure software development life cycle (SDLC) practices.
- Disclose vulnerabilities.
- Offer patch management.
- Maintain a list of approved suppliers for products.
- Provide a software component inventory.
Implement a Comprehensive C-SCRM Program
To implement a comprehensive C-SCRM program as outlined by NIST, your organization will need to do the following:
- Define your supply chain risk management roadmap.
- Perform software composition analysis (SCA).
- Perform malicious code detection.
- Secure cloud and container development.
Define Your SSCRM Roadmap
The first step in securing your supply chain is to define the level of security you seek and develop a plan to reach that level. You do this by evaluating the people, processes and technologies that make up your software supply chain. Ideally, you’ll bring in third-party experts to do this evaluation. Third-party experts bring fresh eyes to systematic problem-solving jobs like this, in large part because they are unburdened by institutional memory of the decisions that went into building the supply chain you have. Once you have a clear map of the risks your supply chain poses, then you can establish a multiyear strategy to mitigate and reduce those risks.
Software Composition Analysis (SCA) and Binary Analysis
SCA and binary analysis are at the heart of any supply chain risk management solution because you can’t build an accurate SBOM if you do not know what is in your software. Even more important, you need tools that will investigate the contents of that software beyond declared dependencies and manifests.
A complete SCA solution employs:
- Automated open source detection. It is important that your automated open source detection strategy does a complete inventory, one that does not rely on declared dependencies.
- Detailed security and compliance reporting. Your SCA solution should compile detailed reports on security and compliance, as well as deliver regular insights about component quality to ensure that you are only using high-quality components that are actively maintained by a robust open source community.
- Automated open source governance enforcement. Your SCA solution should automatically enforce open source governance, in alignment with your defined risk tolerance, and require only limited input and action from development and operations teams.
Analyzing Binaries, Executables and Libraries
It is equally important that your SCA solution analyzes binaries, executables and libraries for open source components regardless of what the manifests declare. You want a SCA system that will:
- Inspect binary container images for open source components beyond those disclosed in manifests. For instance, Docker files.
- Analyze applications and containers to discover security concerns including both known and unknown vulnerabilities.
Malicious Code Detection
Are you confident that your system is free of malicious code? Malicious code can remain dormant for months or even years until it is activated. This type of code can lurk beneath the surface of your software and is usually extremely hard to detect with traditional scanning tools. Security experts use a combination of intensive manual scanning and automated detection to find suspicious constructs in production binaries, configurations and data. Experts can also provide advice on appropriate methods of malicious code management and vulnerability remediation strategies.
Cloud and Container Security
Reports in 2021 showed a significant increase in activities related to securing the cloud and containers. Research indicates that organizations are developing their own capabilities for managing cloud security and evaluating their shared responsibility models.
Steps you can take now to secure your infrastructure include:
- Define a strategy for your cloud and container strategy and build a roadmap to get there. Determine what strategies, capabilities, and activities your company should use to support an efficient cloud security program. This entails gaining visibility into your current cloud adoption state and defining an achievable future state by using a proven cloud security reference architecture and maturity assessment framework.
- Conduct an architecture risk assessment to examine your potential attack surface, determine where security controls are insufficient and get recommendations from experts on how to improve them. A risk assessment also identifies technical risks that can lead to business risks, prioritizes the risks based on their likelihood of occurrence and prescribes mitigation tasks.
- Ensure a secure cloud migration with assessments both before and after the migration. This includes building and deploying cloud applications using secure reference implementations with baseline security controls, and also performing static application security testing, software composition analysis and dynamic analysis.
- Secure your containers. Identify and mitigate cloud container risks with a thorough vulnerability assessment, penetration testing, architectural risk/threat models and DevSecOps considerations.
- Optimize and manage the cloud. This entails performing regular cloud security posture management health checks for configurations, policies, controls and integrations. It also includes remediating, investigating and responding to alerts and incidents as necessary.
- Prioritize and implement actions to improve your threat posture and address gaps.
Supply Chain Risk Is Business Risk
All businesses these days are software businesses. Businesses either build software as part of their products and services or they buy software and use it to operate the business. Software is the critical infrastructure for all other critical infrastructure, and consequently, it carries significant risks that must be managed, just like any other risks. This is why doing the work to build security processes now will pay off as you go forward. Investment in building an SBOM as part of a robust SSCRM program is more crucial than ever. Breaches like Log4j and the Sotheby’s video data skimming show that every business must make security top of mind.