Mar 16 · 4 min read
The SolarWinds breach was a wake up call for all organizations operating in the cloud-native world. Supply chain attacks are more complex and can impact many more machines and users than cyberattacks. For this reason, organizations should prioritize their software supply chain security.
The software supply chain is made up of third party tools, vendors, partners, and your own proprietary tools and data. There are numerous components, people, organizations, and technologies from start to end. This means there are many ways things can go wrong, and security needs to be multi-pronged.
The need to move to Kubernetes is not because it is the cloud technology in vogue today. With organizations today competing in a mobile-first world that is made up of digital experiences, older platforms are unable to keep pace with the demands of today’s consumers. What Kubernetes brings to the table is the ability to manage infrastructure in a scalable, automated, and distributed manner. When it comes to security, Kubernetes includes a secrets management service that makes it possible to separate the application from its secret information like passwords and tokens.
There is an entire ecosystem springing up around Kubernetes. This ecosystem is governed by the CNCF (Cloud-native Computing Foundation). The Foundation enjoys support from every major and minor cloud vendor.
Along with Kubernetes, CNCF also oversees the development of many other open source projects. Some examples of CNCF security projects are:
These tools are a sign of the importance of security in the Kubernetes ecosystem, and they are ideal for organizations looking to secure their software supply chain.
Open source tooling has permeated the technology stack today. However, community built code bases are prone to vulnerabilities. No doubt, the vulnerabilities get fixed quickly by the community, but there are always new attacks. It is essential to apply security patches for open source tools as soon as they are available. It’s important to manage dependencies in open source, and to keep track of the various dependencies, especially in large scale projects.
The State of Open Source Security 2020 survey showed that the average time to fix vulnerabilities in an open source is 68 days. This is a big open window for an attack and needs to be reduced. Tracking and bringing down the mean time to remediation is important for open source security.
DevOps teams are in a constant push for greater automation. However, automation can result in a domino effect of security vulnerabilities that spread through the CI/CD pipeline quickly.
Having security policies that are not just on paper, but can be applied to every step of the CI/CD pipeline is effective. For example, a policy that allows only known team members to commit to a repository, or only verified container images to be downloaded via an approved container registry. As an extension, only builds that pass these security checks can be automatically deployed. If any policy is violated it needs to trigger an alert.
Additionally, security tests and smoke tests can be executed much earlier in the CI/CD cycle. This way developers get immediate feedback on the quality of code they produce. This enables them to fix issues before they are compounded in production. Modern testing approaches like headless testing are effective at achieving these goals.
There are security tools that excel at a single type of security. For example, Project Calico excels at policy-based network security in the form of micro-firewalls that protect every service in the system.
Many such security tools would be leveraged for different purposes to secure hardware, endpoints, secret information, identity and access and more. While all these tools excel at a specific purpose, you also need a way to gain a single pane of glass view that brings together information from these various tools and delivers them in the right context. This type of correlation between different security events and data is crucial to security operations.
There are many aspects to consider when securing a software supply chain. By starting with the infrastructure architecture choices, embracing open source, taking a risk-based approach to security, and being able to go wide and deep with security monitoring, teams can meet the high demands of modern cloud-native apps while keeping them secure.
What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…
The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…