How secure is your Software Supply Chain?

Eilon Elhadad
Mar 16 · 4 min read
secure software supply chain

The SolarWinds breach was a wake up call for all organizations operating in the cloud-native world. Supply chain attacks are more complex and can impact many more machines and users than cyberattacks. For this reason, organizations should prioritize their software supply chain security

The software supply chain is made up of third party tools, vendors, partners, and your own proprietary tools and data. There are numerous components, people, organizations, and technologies from start to end. This means there are many ways things can go wrong, and security needs to be multi-pronged.

Have you made the move to Kubernetes?

The need to move to Kubernetes is not because it is the cloud technology in vogue today. With organizations today competing in a mobile-first world that is made up of digital experiences, older platforms are unable to keep pace with the demands of today’s consumers. What Kubernetes brings to the table is the ability to manage infrastructure in a scalable, automated, and distributed manner. When it comes to security, Kubernetes includes a secrets management service that makes it possible to separate the application from its secret information like passwords and tokens. 

Do you use CNCFsecurity projects?

There is an entire ecosystem springing up around Kubernetes. This ecosystem is governed by the CNCF (Cloud-native Computing Foundation). The Foundation enjoys support from every major and minor cloud vendor. 

Source: CNCF

Along with Kubernetes, CNCF also oversees the development of many other open source projects. Some examples of CNCF security projects are:

  • SPIFFE & SPIRE: Defines who has access to what. Previously this was done via IP addresses, but SPIFFEE does this at the workload/process level. It is used to securely authenticate services in a distributed system. SPIRE is an implementation of SPIFFE.
  • TUF and Notary: TUF is a framework for securing software updates. Notary is an implementation of TUF that handles signatures and keys for every software update.
  • In-toto: This tool allows you to design each step of the software delivery pipeline. It then allows you to monitor who performed which action at each step of the pipeline. 
  • Falco: This is a rules engine that lets you configure and define various security rules that govern your system. It then alerts you whenever these rules are violated.

These tools are a sign of the importance of security in the Kubernetes ecosystem, and they are ideal for organizations looking to secure their software supply chain.

How secure are your open source tools?

Open source tooling has permeated the technology stack today. However, community built code bases are prone to vulnerabilities. No doubt, the vulnerabilities get fixed quickly by the community, but there are always new attacks. It is essential to apply security patches for open source tools as soon as they are available. It’s important to manage dependencies in open source, and to keep track of the various dependencies, especially in large scale projects. 

The State of Open Source Security 2020 survey showed that the average time to fix vulnerabilities in an open source is 68 days. This is a big open window for an attack and needs to be reduced. Tracking and bringing down the mean time to remediation is important for open source security.

Does automation hurt or help you?

DevOps teams are in a constant push for greater automation. However, automation can result in a domino effect of security vulnerabilities that spread through the CI/CD pipeline quickly. 

Having security policies that are not just on paper, but can be applied to every step of the CI/CD pipeline is effective. For example, a policy that allows only known team members to commit to a repository, or only verified container images to be downloaded via an approved container registry. As an extension, only builds that pass these security checks can be automatically deployed. If any policy is violated it needs to trigger an alert. 

Additionally, security tests and smoke tests can be executed much earlier in the CI/CD cycle. This way developers get immediate feedback on the quality of code they produce. This enables them to fix issues before they are compounded in production. Modern testing approaches like headless testing are effective at achieving these goals. 

Can you go wide and deep?

There are security tools that excel at a single type of security. For example, Project Calico excels at policy-based network security in the form of micro-firewalls that protect every service in the system. 

Source: Calico

Many such security tools would be leveraged for different purposes to secure hardware, endpoints, secret information, identity and access and more. While all these tools excel at a specific purpose, you also need a way to gain a single pane of glass view that brings together information from these various tools and delivers them in the right context. This type of correlation between different security events and data is crucial to security operations. 

There are many aspects to consider when securing a software supply chain. By starting with the infrastructure architecture choices, embracing open source, taking a risk-based approach to security, and being able to go wide and deep with security monitoring, teams can meet the high demands of modern cloud-native apps while keeping them secure.

Eilon Elhadad
Mar 16 · 4 min read

Related Articles

Securing your GitLab: Best Practices To Implement

What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…

Eylam Milner
Jul 14 · 4 min read

President Biden’s Executive Order Demands Cybersecurity for Software...

The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…

Eran Orzel
Jun 23 · 5 min read

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eilon Elhadad
Jun 21 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner