How to secure your software supply chain with DevSecops
Vulnerabilities in software code come in many guises, and a new white paper from Sogeti and Microsoft argues that it would be wrong to focus your security efforts just on proprietary code.
The paper ‘6 tips to integrate security into your DevOps practices’ argues that increasingly rigorous regulatory regimes demand both policies and an automated approach to adhering to them. In a series of blog posts, we’re giving you a flavor of all 6 tips, including Tip 6: Secure and visualize your supply chain.
Securing a complex supply chain
The Sogeti and Microsoft paper makes a compelling case for integrating security into DevOps practices to create DevSecOps. This is needed to ensure the security and compliancy of modern code, workflows, and infrastructure. And in Tip 6 we focus on security within the software supply chain.
First, why is this an issue? The majority of IT systems today utilize open-source and third-party platforms, frameworks, and components. These dependencies themselves rely on other dependencies, creating a complex and potentially vulnerable supply chain. Unless you understand a system’s dependency tree, you potentially open a pathway for malicious actors to attack your systems.
A chain of custody
To begin with you need to gain a clear picture of each software component’s update history, including: the releases, the quality checks completed, versions, and documentation. This helps establish something akin to a chain of custody on your code, components, and subsequent dependencies.
In 6 tips to integrate security into your DevOps practices we recommend that DevSecOps teams start with two key steps:
- Act on insights gathered by dependency tree visualization
- Build transparency with a software bill of material
Act on insights
Once you have visualized your dependencies, you need to manage them – in other words use a tool like GitHub’s Dependabot to notify your team when it locates a known vulnerability or when updates become available for a specific dependency. Dependabot even aids remediation practices by preparing and suggesting necessary changes for updates in the codebase. Acting on insights gathered should be enforced by policy, for example one that governs how a team deals with dependencies, manages updates, and locates possible vulnerabilities.
Why is transparency important? Our report states that it brings trust to systems. Teams that are intimately familiar with the software modules they rely on develop best practices for updates and understand the impact one module can have on their system and whole delivery lifecycle. One way to aid this is with a Software Bill of Material (SBOM), which is akin to how a manufacturing bill of material details a product’s construction. While there is growing move across the security industry to standardize on a machine-readable SBOM, for the moment a good place to start is by keeping an updated list of components, accompanying version and update strategies, and known vulnerabilities and maintainers.
Is your supply chain secure ?
Whether the code you’ve sourced contains vulnerabilities or relies on other components with vulnerabilities, Tip 6 opens our eyes to the pressing need of heightened levels of security management at every stage of the software supply chain.
Download the white paper 6 tips to integrate security into your DevOps practices.