A software supply chain is like a list of ingredients in a healthy dark chocolate bar.
Although the advertising says it’s perfectly healthy, only the ingredients will tell the full story. So, you’ve got to ask questions. Are the ingredients good for consumers? How is it manufactured? Are there some parts in the production process where its quality can be affected?
The same applies to software. Just like with healthy chocolate bars, there are places in the software supply chain that might affect the quality of the final product. If it happens, the product might end up having glitches, defects, and security vulnerabilities.
To ensure that software is defect- and flaw-free, development companies are starting to use DevSecOps practices. In this post, let’s give you a brief overview of how they can help release vulnerability-free software.
Why DevSecOps for Software Supply Chain?
DevSecOps - short for development, security, and operations - is a strategy of applying security practices at each phase of software development. DevSecOps is different from the traditional IT security strategies because it introduces security earlier in the app’s lifecycle and uses advanced engineering practices.
“But software delivery models integrate security practices already... Why do we need to add DevSecOps?”
The technology for checking the software supply chain isn’t always capable of fast and reliable testing (at least according to Agile or DevOps standards). That’s why there has been a rise in attacks on software supply chains.
Here are the figures (source: the 2020 State of the Software Supply Chain Report:)
-
The attacks at open-source software supply chains increased by 430% in 2020 (929 in 2020 compared to 216 during the same period in 2019)
-
51% of companies need more than a week to fix zero-day software vulnerabilities
-
47% of companies found out about open-source supply chain vulnerabilities after a week
-
11% of open-source application components have at least one known security vulnerability (on average, it’s 38 vulnerabilities).
Attackers are anticipating that companies use open-source components and third-party libraries to shorten the development cycle. Then, they try to inject malicious code into the third-party code, which compromises the security of the entire project once downloaded and implemented.
DevSecOps can help to minimize this risk and help detect these vulnerabilities before they turn into major problems.
Related: How to Make Your Cloud Journey Safe and Secure
How to Secure a Software Supply Chain with DevSecOps
Here are the most important DevSecOps practices to prevent and remove software security vulnerabilities.
1. Plan Security Checks Early
Traditionally, planning security specifications is the main focus at the very beginning of the software supply chain. According to DevSecOps, this stage should also include a thorough analysis of potential security issues.
Here are the most important security planning parts:
-
Writing a documented cybersecurity strategy detailing security practices, tools, and activities involved
-
Identifying a set of security acceptance criteria
-
Developing a step-by-step security strategy against the top five most relevant risks affecting similar projects.
The result of these practices would be a set of open-source governance, standards, or policies to protect against the common risks. This document should be drafted, approved, and embedded into project processes when the development takes off.
Many software companies plan automation of security-related checks at this point. The 2020 DevSecOps Community Survey found that 47% of developers don’t have enough time to spend on security, so the best performers are 2.3 times more likely to plan and use automated tools.
Related: Architecting Security into Your Company
2. Security Check Implementation
At this point, the project has taken off, so the DevSecOps team gets busy with security check-driven sourcing. The goal is to secure all processes from the beginning and ensure an opportunity to check everything at any point.
The easiest security targets get addressed first. They include open-source code, outdated systems, admin pages with passwords, security credentials, and web frameworks with potential security vulnerabilities.
The most important checks to take care of the baseline are:
-
Systems and applications should be updated at the start of the project and constantly patched throughout
-
Sensitive data like login credentials must be stored in a secure app like 1Password
-
VPN is used to protect administration interfaces
-
Malware checks on components to identify malicious code
-
Compromised third-party or specialized code checks.
The range of supply chain checks will depend on the nature of the project, but these apply to most.
3. Security Considerations During Software Building and Testing
As the project unfolds and developers work on creating the software, the DevSecOps team gets busy with pursuing these goals:
-
Using integrity controls to secure the CI/CD pipeline and every step of delivering code to production.
-
Applying test-driven security (TDS) strategy, where developers write tests first and then write the code to implements the tests. This helps clarify expectations and detect missing security controls before deployment.
-
Running automated dependency checks and security tests at every stage of the supply chain.
-
Ensuring infrastructure security with secure API gateways, VPNs, admin panels; managing access privileges.
4. Security Considerations During Deployment
When the project arrives at the deployment stage, the DevSecOps team shifts to the “monitoring” mode. At this point, its main goals are:
-
Automation of configuration management
-
Monitoring of app user experience and performance indicators
-
Preparation of an incident response plan in case of supply chain attacks.
These practices should ensure a fast app deployment and delivery and ensure the highest security policy compliance.
DevSecOps for Software Supply Chain: Summary
Launching a new software app is an exciting moment, and it shouldn’t be ruined by potential security vulnerabilities that went undetected.
To minimize the risk of any security issues, companies are increasingly using the DevSecOps practices we described in this article. They bring security folks as close as possible to the DevOps to take combine their expertise.
Developing and maturing a DevSecOps strategy takes some time, but that’s an effective way to ensure the integrity of software products of all complexities. Ultimately, having such a strategy will minimize or eliminate any extra security measures after deployment.