Mandates are being introduced globally to enforce software supply chain security, but they are still in the very early stages of being defined. There are a lot of unknowns that will be determined in the coming months and years. The only thing we can be sure of is that change is coming, and we as part of the software security community need to be prepared to adapt our roadmaps and security initiatives accordingly. Nevertheless, there are actions that you can take right now to combat supply chain attacks.
Implementing a comprehensive C-SCRM program as outlined by NIST requires four essential components.
- A supply chain risk management roadmap. The first step in your software supply chain transformation journey should be to develop a plan to get to your desired state of security. This entails an evaluation of your software supply chain’s people, processes, and technology. This evaluation should be ideally performed by third-party experts who can utilize their supply chain security experience and “fresh eyes” to evaluate and establish a multiyear strategy to reduce risk in your supply chain.
- Software composition analysis (SCA). SCA and binary analysis are at the heart of any supply chain risk management solution. But not all SCA products are created equal. A complete SCA solution utilizes
- Automated open source detection that goes beyond relying solely on declared dependencies so that all open source is discovered, and a complete inventory is compiled
- Detailed security and compliance reporting plus regular insights on component quality, ensuring that you are always using high-quality components that are actively maintained by a robust open source community
- The ability to automatically enforce open source governance, aligned with your unique risk tolerance, with limited input and action from development and operations teams
Analyzing binaries, executables, and libraries for open source components—especially beyond trusting manifests—is equally important. It must include
- A method to inspect a binary container image for open source components beyond what is disclosed in manifests, such as a Docker file
- Analysis of applications and containers to discover security concerns including known and unknown vulnerabilities
- Malicious code detection. Are you confident that your system is free of malicious code? Malicious code can remain dormant for months or even years until it is activated. This type of code can hide beneath the surface of your software and is usually extremely hard to detect with traditional scanning tools. Security experts utilize a combination of intensive manual scanning and automated detection to find suspicious constructs in production binaries, configurations, and data. Experts also provide advice on appropriate methods of malicious code management and vulnerability remediation strategies.
- Cloud and container security. BSIMM12 showed a significant increase in new observations of activities related to securing the cloud and containers over the past two years. Research indicates that organizations are developing their own capabilities for managing cloud security and evaluating their shared responsibility models. The steps you can take to secure your infrastructure include
- Define your cloud/container strategy and build a roadmap. Determine what strategies, capabilities, and activities your company should use to support an efficient cloud security program. This entails gaining visibility into your current cloud adoption state and defining an achievable future state by utilizing a proven cloud security reference architecture and maturity assessment framework.
- Conduct an architecture risk assessment to examine your potential attack surface, determine where security controls are insufficient, and get recommendations from experts on how to improve them. A risk assessment also identifies technical risks that can lead to business risks, prioritizes the risks based on their likelihood of occurrence, and prescribes mitigation tasks.
- Ensure a secure cloud migration with assessments both before and after the migration. This includes building and deploying cloud applications using secure reference implementations with baseline security controls, and also performing static application security testing, software composition analysis, and dynamic analysis.
- Secure your containers. Identify and mitigate cloud container risks with a thorough vulnerability assessment, penetration testing, architectural risk / threat models, and DevSecOps considerations.
- Optimize and manage the cloud. This entails performing regular cloud security posture management health checks for configurations, policies, controls, and integrations. It also includes remediating, investigating, and responding to alerts and incidents as necessary.
- Prioritize and implement actions to improve threat posture and address gaps.
Supply chain security is really the ultimate test for your SDLC. You simply cannot build security into your supply chain with a weak SDLC. Without a secure SDLC, the information in your SBOM and data such as vulnerabilities, bugs, and flaws in your code and software system design will be revealed to your customers. The executive order and other supply chain security mandates can be the spark that ignites DevSecOps activities and propels you to embrace a security culture that permeates your SDLC and entire supply chain.
Finding the right people with the required expertise and experience in implementing the right solution, and setting, managing, and enforcing the appropriate risk management policies can be a daunting task, especially with the security resources shortage we are currently facing. Synopsys offers Black Duck®, a market-leading SCA solution, as well as hundreds of security services consultants with decades of experience in supply chain security.