How to Ensure Your Software Supply Chain Is Secure for Business Innovation

Written by prakashs | Published 2022/10/31
Tech Story Tags: devops | devops-security | cybersecurity | cyber-security | cybersecurity-tips | cybersecurity-awareness | devops-infrastructure | code-security

TLDRMore than half of C-level executives do not know how to troubleshoot a ransomware attack or who to turn to for help. Security is needed at every step in the software supply chain. Clean code – code that is secure, easy to understand, and easy to change – must be established from the beginning. The Kaseya ransomware attack put more than. 40,000 organizations at risk of an exploit because they used vulnerable. versions of Kasey’s VSA software. The more third-party organizations that an enterprise relies on, the more ‘links’ there are in the. software supply. chain.via the TL;DR App

When reflecting on the history of software, it’s mind-boggling how far the IT industry has come from the early days of waterfall development practices and monolithic, clunky applications. This evolution of software has filtered into business models as most industries have embarked on a journey of digital transformation. As the world becomes more software-oriented, businesses are building and deploying new applications to keep pace with customer demands and an evolving threat landscape.

Cyber-attacks are industry agnostic and while increased reliance on technology brings opportunities, it also provides more pathways for criminals to attack a business. While companies work to continuously improve their offerings for their customers, they also must ensure they remain secure throughout every stage of that process; from development to delivery, to production. Without a secure software supply chain, business innovation will stall before it ever gets on the road.

A Vulnerable Chain

When surveyed in 2021, despite 95% of respondents feeling very confident about the security of their software supply chain, more than half (58%) of C-level executives do not know how to troubleshoot a ransomware attack or who to turn to for help. This calls to question whether C-level executives truly understand the potential pitfalls if they do not understand how to fix an issue if it were to arise.

Leaders who believe their software supply chain is completely secure, need to reevaluate their position as there are many potential security gaps that could lead to significant business disruption. You don’t need to look very far in the past to see the devastation a ransomware attack can cause. The Kaseya ransomware attack put more than 40,000 organizations at risk of an exploit because they used vulnerable versions of Kaseya’s VSA software.

Thinking about a secure software supply chain within an organizational framework can be overwhelming. Most businesses work with multiple suppliers and the more third-party organizations that an enterprise relies on, the more ‘links’ there are in the business’ software supply chain.

A longer chain will naturally create more potential points of failure or vulnerability for hackers to exploit. To ensure that an enterprise software supply chain is as secure as possible, security is needed at every step in the chain. This means being secure from the designing and writing of code through to delivery and into production.

Secure in Development

When discussing best security practices, many experts discuss the importance of security hygiene. This includes the basics like password security, employee training, and threat detection.

Similarly, clean code is the foundation of development efficiency, release velocity, and overall application security. Clean code – code that is secure, easy to understand, and easy to change – must be established from the beginning.

The alternative can lead to many downstream problems, especially when issues are discovered after code has been released after production. It is critical that developers understand the importance of preventative security measures, and embed these measures as they create code.

This is often referred to as ‘shifting left’, but putting a majority of the burden for ensuring software security on developers is not a viable, long-term solution. In the software supply chain, it only takes one weak link to compromise the strength of the whole, and often enough that weakness is not visible to the engineering teams.

We need to provide and implement a DevOps ecosystem that ensures the security of the software supply chain and asks developers to only fix the issues that exist within their code. Such an approach is imperative to maintain developer productivity.

Secure in Delivery

Being secure in delivery requires monitoring for all the potential things that may go wrong during the delivery process aside from the code itself, and this is where automation is key. Automation is a fundamental step to ensure that the entire software supply chain is secure, and can eliminate any human errors or identify steps that may have been missed. Even if code is highly robust, without a secure delivery pipeline code is still vulnerable to human mistakes, or malicious actors.

Alongside automation, organizations should set up access and privilege controls for the code and the pipeline itself. Ensuring that the right people have the right access to systems is paramount when maintaining security.

Above all, a company’s code and pipeline are only as secure as its security measures, and by implementing security at every step of the journey – from development to delivery to production – companies can build a sturdy and secure supply chain. Not only are legacy brick-and-mortar industries turning to software-first strategies, but for many businesses, the software is now second nature.

There isn’t an industry today that can afford to fall victim to a security breach, especially one which could be prevented by a holistic, end-to-end software approach. To secure future innovation, businesses need to familiarise themselves with the potential weaknesses in their software supply chain and work to fix them quickly, or they risk being the next company to fall victim to attack.

Secure in Production

Once code is deployed, it’s not a case of it being “out of sight, out of mind.” Releases are happening so frequently and quickly, and even once code is deployed, it is essential to keep track of the code. And, it is just as important to ensure that IT teams are able to respond quickly as soon as a security issue emerges.

When detecting and fixing problems there are two key industry metrics that are important to consider – mean time to detect (MTTD), the duration of time it takes to spot an issue after the software is released, and mean time to repair (MTTR), the duration of time it takes to fix the problem that is detected.

From the moment a serious vulnerability appears, there is an automatic countdown that starts between detection and remediation, and the actions security teams take during this time directly affect the outcome. While speed is of the essence, so is precision. This is where new, quick-response techniques come into play, like automated rollbacks and feature flagging, ensuring teams can remediate the problem efficiently and effectively.

An optimal security strategy should also include a continuous compliance system that works in tandem with a good mitigation system. The best system will act in the style of a feedback loop that connects the enterprise’s entire supply chain to the coding system and will go beyond the bounds of simply detecting violations against security and compliance rules by triggering mitigation and providing clear and specific instructions on how to fix the issues at hand.

Written by prakashs | CISO at CloudBees
Published by HackerNoon on 2022/10/31
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy