By Josh Lemos, GitLab CISO.
Understanding through visibility, managing through governance, and anticipating through continuous deployment will better prepare organisations for the next supply chain attack, writes GitLab CISO Josh Lemos.
Software supply chain attacks are challenging the DevSecOps community and can surprise even the most seasoned professionals. This is also combined with a lack of preparedness by Australian organisations. A report from PwC found that only one-third of Australian organisations have assessed the risk of attacks on the software supply chain. To combat supply chain risk, organisations must bolster their resilience by emphasising three critical components within their software build environments: visibility, governance, and continuous deployment. By focusing on these areas, organisations can enhance their defences and reduce the time it takes to recover from the next cyberattack.
Visibility: Establishing State in Dynamic Systems
What a security practitioner can know about the software systems they defend is finite and temporary. The information that informs operations are snapshots of highly dynamic and complex computing systems, while the snapshots of security controls serve as a point-in-time reference to the state of security. AI is changing some security controls to be more dynamic and adaptable, but most security boundaries today are static.
Conversely, the number of unknowns in large-scale computing environments is almost unlimited at any given moment. Code is updated hundreds to thousands of times daily, infrastructure changes can erase previously defined security boundaries, and upstream dependencies can have enormous security implications.
To prepare for the next exploit, security professionals must have a real-time understanding of their environments and decrease the number of unknowns. For example, using a software bill of materials (SBOM) is crucial for commercial and open-source software (OSS) alike, as it provides a comprehensive inventory of components used in software and enables rapid identification of vulnerable components when new threats emerge.
Understanding the age of an organisation’s software can also help inform security approaches. Older services are subject to more third-party attacks or vulnerabilities because they aren’t deployed as often or maintained as frequently, while new software is more prone to first-party issues such as business logic flaws or entirely new attack classes. Combining new and old software can introduce risk with the assumptions of security boundaries that have been redefined or are no longer effective.
Governance: Managing Software Supply Chains
Understanding an organisation’s software systems is not enough. Good governance, the framework of policies, processes, and controls ensuring secure practices, with oversight from leadership, is essential for consistent maintenance of security measures and accountability throughout the software life cycle.
There are several considerations for building secure-by-design software:
- Building reproducible software and maintaining per-service metrics for software security assurance;
- Performing checks to ensure security boundaries are functioning as expected;
- Utilising prebuilt infrastructure-as-code design patterns;
- Building SBOMs capable of being leveraged by security operations and vulnerability alerting teams and tooling;
- Automating security checks to ensure secure-by-default principles are adhered to;
- Integrating AI validation in the SDLC to improve efficiency, reduce errors, and provide deeper insights into the development process;
- Implementing policy-as-code to automate the management and enforcement of security policies across cloud services, applications, networks, and data, ensuring consistent and comprehensive security coverage; and
- Designing security boundaries that constrain failure domains by design.
Organisations might also consider establishing an open-source program office (OSPO) for greater OSS security. These teams manage OSS use, oversee security practices, foster relationships with the open-source community, stay up to date on the latest security and compliance developments, and monitor open-source component reliability and security.
Continuous Assessment: Anticipating the Unknowns
Continually testing and monitoring an environment is crucial to organisational resilience in the face of software supply chain security vulnerabilities. Continuous deployment, where code changes are automatically tested and deployed to production as soon as they pass automated tests, sometimes hundreds or thousands of times per day, goes beyond continuous integration and delivery by automating the entire deployment process to improve software quality and accelerate delivery. However, continuous deployment is only possible when visibility and governance components are in place.
Many developers hate writing tests, and test coverage is almost always lower than teams would like it to be. Comprehensive test coverage, including unit and integration tests, ensures that every part of an environment is checked for errors in isolation and when interacting with other components. This is an area where generative AI can greatly assist with automating or accelerating the boring work. This benefits engineering teams not just with velocity but by continuously attesting to the security and resilience of their software.
Automated security boundary checking likewise verifies that security perimeters are tight and well-maintained, acting as a first line of defence against potential breaches. Monitoring production environments is also key to catching discrepancies or unexpected behaviours that might indicate a security issue. Finally, continuous programmatic discovery is crucial for keeping inventories complete and consistent.
Building Resilience
The test of cyber resilience is an organisation’s ability to adapt and evolve its security posture to stay ahead of the next security threat. To prepare, security professionals must ensure their software ecosystem is well-instrumented for effective response and resilience, minimising the exposure window from identification to remediation.
By understanding through visibility, managing through governance, and anticipating through continuous deployment, organisations will be better prepared for the next supply chain attack.
