{"id":5116,"date":"2024-09-03T09:00:00","date_gmt":"2024-09-03T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/improved-software-supply-chain-resilience-equals-increased-security"},"modified":"2024-09-03T09:00:00","modified_gmt":"2024-09-03T14:00:00","slug":"improved-software-supply-chain-resilience-equals-increased-security","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/03\/improved-software-supply-chain-resilience-equals-increased-security\/","title":{"rendered":"Improved Software Supply Chain Resilience Equals Increased Security"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

From the <\/span>attempted backdoor in XZ Utils<\/a><\/span> to the takeover and subsequent malware distribution in the <\/span>Polyfill JS project<\/a><\/span>, software supply chain attacks are challenging the DevSecOps community and can surprise even the most seasoned professionals. These incidents have underscored the inevitability of such threats and their potential for disastrous consequences. <\/span><\/p>\n

Organizations must bolster their resilience by emphasizing three critical components within their software build environments: visibility, governance, and continuous deployment. By focusing on these areas, organizations can enhance their defenses and reduce the time it takes to recover from the next cyberattack. <\/span><\/p>\n

Visibility: Establishing State in Dynamic Systems<\/h2>\n

What a security practitioner can know about the software systems they defend is finite and temporary. The information that informs operations are snapshots of highly dynamic and complex computing systems, while the snapshots of security controls serve as a point-in-time reference to the state of security. Artificial intelligence is changing some security controls to be more dynamic and adaptable, but the vast majority of security boundaries today are static or heuristic-based. <\/span><\/p>\n

Conversely, the number of unknowns in large-scale computing environments is almost unlimited at any given moment. Code is updated hundreds to thousands of times daily, infrastructure changes can erase previously defined security boundaries, and upstream dependencies can have massive security implications. <\/span><\/p>\n

To prepare for the next exploit, security professionals must have a real-time understanding of their environments and decrease the number of unknowns. For example, using a software bill of materials (SBOM) is crucial for commercial and open source software (OSS) alike, as it provides a comprehensive inventory of components used in software and enables rapid identification of vulnerable components when new threats emerge. Inventories should serve as the canonical source for any asset, supporting indexing, extensible APIs, and queryable interfaces to maximize their utility and value.<\/span><\/p>\n

Understanding the age of an organization’s software can also help inform security approaches. Older services are subject to more third-party attacks or vulnerabilities because they aren’t deployed as often or maintained as frequently. On the other hand, new software is more prone to “first-party” issues such as business logic flaws or, less commonly, entirely new attack classes. Combining new and old software can introduce risk with the assumptions of security boundaries that have been redefined or are no longer effective. <\/span><\/p>\n

Governance: Managing Software Supply Chains<\/h2>\n

Understanding an organization’s software systems is not enough. Good governance \u2014 the framework of policies, processes, and controls ensuring secure practices, with oversight from leadership \u2014 is essential for consistent maintenance of security measures and accountability throughout the software life cycle.<\/span><\/p>\n

There are several considerations for <\/span>building secure-by-design software<\/a><\/span>: <\/span><\/p>\n

\n