Google released its attempt at providing a framework for Software Supply Chain Attacks. A Software Supply Chain Attack is when third-party software is compromised, or maliciously introduced into a dependency, which downstream applications will then leverage. For example, instead of attacking an internet-facing application directly, it may be easier to compromise or leverage an already compromised dependency. Applications and their developers have a tendency to assume trust over known or familiar dependencies. It is like locking the front door of your home, closing the blinds, but allowing the cleaners to come and go through the back door every other Wednesday. Instead of banging on your front door, adversaries will simply compromise the cleaners or the supplies that they use.
Here is an extract from the linked article that highlights major attack vectors of supply chain attacks provided by Google:
This is a solid attempt to provide a phased solution to this growing problem in cybersecurity, but this can be misinterpreted as a pragmatic solution for your organization. This model, for one, requires an above par competency for software delivery AND software development AND software security. Secondly, the traditional controls for secure application development do not necessarily scale to handling modern delivery of infrastructure-as-code (IaC), which should follow a similar delivery lifecycle. Both are very important in modern cloud delivery within agile shops. Lastly, the model above does not care to consider the disparities of the environments involved in the delivery lifecycle. Some environments are more favorable for scalable security controls than others (e.g. standardizing dev machine builds with various IDEs for various languages is already a pain, throwing a security control on top of that is not very pragmatic).
In our experience, knifing the delivery process at the most automated phase is a realistic solution for most organizations. Failing an automated build due to security findings is more digestible than not allowing a dev commit or auto-terminating cloud workloads. It is generally easier to plug into the CI/CD process via a phased approach, leverage build failures as teachable moments for pre-build processes and people, and then hyper-hardening the delivery process post-build. A scalable detective control in live environments will assist with monitoring anomalies, zero-days, or newly detected vulnerabilities or misconfigurations.
In summary, we suspect that we will begin to see an increase in “all-inclusive” software and supply chain-focused security solutions for modern delivery environments in the upcoming years. It is a vacant niche that can pave the route for successful digital transformations and multi-cloud utilizations. A few vendors are already headed in this direction, but current “Shift Left” capabilities are treated as supplemental at best.
The key to effectively leverage these solutions without breaking the bank is to:
· Hyper-focus on the scalable and pragmatic integrations (CI/CD)
· Leverage an educational feedback loop for pre-build processes after build policy failures
· Harden post-build processes
· Deploy IaC integrated controls for consistency, compliance, and monitoring of operational environments
How can Rapid Strategy help?
Rapid Strategy aims to partner with you on your journey to provide fast and effective risk reduction strategies and controls in your environment. Rapid Strategy can quickly assess the state of your organization and provide you with strategic and targeted risk-based solutions. Contact us to accelerate your cybersecurity.