Information Week Brief – Top Tips for Defending Your Software Supply Chain
Experience has taught us all that every system everywhere is either under attack or at least could be. Software applications are one of the primary attack vectors for security breaches. Mitigating these risks requires software engineering teams to integrate security into the SDLC by adopting end-to-end developer-centric application security tools. Nearly all enterprises are working on improving their security posture and hardening it with automation to discover known and unknown problems.
But developers get impatient with security overhead. Anything that gets in the way of doing their jobs is a problem. You need real DevSecOps, which means automated security processes embedded into the DevOps pipeline at every step.
Software companies these days use a LOT of open-source software, as much as 90% in modern applications. This has made the software supply chain complex. Companies like SolarWinds that have had their own supply chains corrupted have ended up corrupting their customers and have faced severe costs financially, reputationally, and perhaps legally.
2021’s most famous and widespread software supply chain vulnerability was Log4shell, a series of critical vulnerabilities in the extremely popular Apache Log4j logging service. But there have been many significant attacks since then:
- June 2023 – MOVEit Supply Chain Attack
- March 2023 – 3CX Supply Chain Attack
- February 2023 – Applied Materials Supply Chain Attack
- December 2022 – PyTorch Framework Supply Chain Attack
- December 2022 – Fantasy Wiper Supply Chain Attack
They keep on coming, and they are successful because it is hard to defend against them. But you can make yourself a lot safer if you follow certain best practices.
Here are the 10 best measures you can take to protect your own development supply chain:
- Curate you open source packages before they enter your organization
- Implement a shift-left strategy
- Don’t just scan for known vulnerabilities
- Don’t just scan your own code
- Create a good SBOM
- Automate security to accelerate development
- Balance security with compliance
- Implement policies globally and by project
- Partner with strong application security vendors
- Choose a platform with a view towards the big and little pictures
Read more for details on how you can implement each of these steps.
