Tips from a CSO: How to Secure Your Software Supply Chain
Trust is vital to success in our industry. Whether you’re creating and managing software for use internally, by other businesses, or direct-to-consumer, you need to be able to create trust with your end users. This can be accomplished, in part, by showing evidence of security measures, bringing the right people and tactics to the table, and working collaboratively to address challenges.
At JFrog we take security extremely seriously — it’s at the center of everything we do internally, as well as what we offer to our customers. Because software supply chain security is something I think about every single day, I thought it might be interesting and beneficial to share some of my thoughts with you. In this blog, I’ll dive into some common misconceptions around software supply chain security, outline a few tips and suggested action items for other CSOs or CISOs, and give you a peek into the security best practices we employ here at JFrog.
If you prefer video, you can also watch my webinar on these topics.
Misconceptions about software supply chain security
There are many misconceptions about the field, but the biggest one is the belief that security ends at the boundaries of the organization, and the assumption that all external dependencies are secure. In reality, security extends far beyond internal processes, infrastructure, and software.
Here are the biggest pitfalls I’ve seen in organizations that don’t practice adequate software supply chain security:
- Pitfall #1: Trusting the external dependencies (i.e. OSS libraries, 3rd parties, etc.) and ignoring patches and updates.
- Pitfall #2: Relying on limited visibility into software supply chain risks. You need to create and constantly update an accurate Software Bill of Materials (SBOM).
- Pitfall #3: Assuming that signed code is always secure. Code signing is extremely important and is used as a trust mechanism to verify software’s authenticity, but it doesn’t guarantee security.
You need more structure and better guardrails to secure the software supply chain. Here are a few considerations I recommend security leaders keep in mind as they continue to build and scale security practices within their organizations.
Consideration 1: Developers play a crucial role in organizational security and should take proactive measures
Developers aren’t only responsible for writing secure code, but also for understanding and mitigating potential security risks in the supply chain. They play a crucial role in ensuring the security of the supply chain and software applications, and their actions and decisions have a significant impact on product security.
Moreover, developers need to be proactive in addressing security issues, rather than waiting for problems to arise. To be proactive, developers should have a clear understanding of what constitutes secure coding practices and how to effectively address security concerns. For example, implement proper encryption and access control data handling practices to ensure sensitive information remains secure.
That said, we need to be sensitive to the fact that putting more security-related tasks on developers’ plates can lead to a sense of overwhelm or inefficiency among developer teams. To help ease this, the security team should act as a trusted expert for developers and be there to help focus efforts and resolve issues with as much accuracy and efficiency as possible.
Consideration 2: The importance of being proactive and adaptive in security practices
Security should be integrated into the SDLC from the very beginning. By taking security requirements into consideration from the beginning, you can avoid vulnerabilities before they have a chance to occur. It’s important to be proactive and address security issues rather than waiting for problems to arise. One way you can achieve this is to ensure developers stay up to date with emerging threats and security vulnerabilities.
We hear a lot about “shifting left” and while this is extremely important, it’s also an oversimplification of what it means to be proactive. You need to shift left, but you also need to shift right, and shift up. This means always challenging innovations with simulated attacks to find ways to prevent real ones in the future. By simulating attacks, you can better prepare your teams for real-world scenarios and also demonstrate how product security, application security, and incident response are all connected — as emphasized by the existence of Product Security Incident Response Teams (PSIRT).
Consideration 3: The role of AI in identifying and mitigating security risks
It’s also increasingly important to start integrating AI and machine learning tools into the software supply chain. As wary as some might feel about adopting these technologies, the truth is that they are positioned well to help accelerate certain processes in vulnerability resolution and remediation. Also consider that the more we use these types of tools, the more improvement we’ll see in that area as providers innovate to meet growing demand.
For example, AI technologies can help in prioritizing vulnerabilities and improving efficiency in handling security incidents. Not every vulnerability is applicable, and engineers notoriously waste precious working hours focused on the wrong things, when they could be doing value-added activities instead. The next generation of runtime security could be a game-changer, reducing the workload of developers by providing clear verdicts on whether a system is affected by a vulnerability or not. The ability to prioritize remediation efforts using AI is something that can significantly improve both engineering resources and employee experience.
Security best practices we use at JFrog
We, JFrog CSO office, consider ourselves “customer zero” because we use our own products internally and are the first to interact with new features. Here are a few best practices we employ as part of our “security-first” approach to product development:
- Have a centralized binary repository. If you manage all your binaries in a central place, you have full visibility and control. From there, security is the easy part.
- Create and maintain SBOMs. You can’t secure your software supply chain if you don’t have clear and accurate visibility into your dependencies.
- Automate security testing from beginning to end. Adopt security tools such as SAST and DAST that can help expedite the discovery and remediation of vulnerabilities in every stage of the SDLC, from code review, to your CI/CD pipeline, to runtime.
- Perform Software Composition Analysis (SCA). At JFrog, we use Xray from the beginning, along with contextual analysis to help R&D to prioritize and address the vulnerabilities that actually need taking care of.
- Sign and verify packages and pipelines. Implementing image signing helps ensure that only validated and authorized container images are deployed to production, and is vital to deploying containers securely and at scale.
- Establish access control and keep privilege limited. Because the human factor is the most impactful attack surface within organizations, it’s key to grant access only as needed.
- Be proactive by simulating attacks. Establish threat monitoring and incident response programs to challenge the software supply chain and prepare for threats before they manifest.
Final Thoughts
The software supply chain is becoming a critical area of cyber security, with a need for increased collaboration, regulation, and the integration of AI and machine learning tools. The growing complexity of software supply chains presents significant security challenges, making it extremely important to have standards and guidelines to ensure the security of the software supply chain.
If I can leave you with one takeaway, it’s that security is a shared responsibility within an organization. Your security framework will soon become the way potential users or partners evaluate you to make sure that it’s safe to do business with you. And if it drives business, it’s everybody’s business.
Everyone within an organization, from top management to employees at all levels, should be involved in adopting security. As such, it’s important to promote and reinforce security best practices throughout your entire organization to empower everyone, from your CEO to your newest intern, to be a champion for security.