The Software Supply Chain: New Threats Call for New Security Measures

Couldn't attend Transform 2022? Check out all the summit sessions in our on-demand library now! Look here.

The contemporary software supply chain is made up of the many components that go into its development: people, processes, dependencies, tools.

It goes far beyond application code — usually the primary focus of existing DevSecOps tools.

Thus, today's increasingly complex software supply chain requires a whole new method of security. The dilemma, however, is that many organizations struggle not only to secure their software supply chains, but also to identify them.

"The challenge of securing the software supply chain is significant and complex for virtually any organization," said Katie Norton, IDC's senior research analyst for devops and DevSecOps. "And, the many entry points into the software supply chain are a significant risk that has gone unaddressed in many organizations."

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to advise on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

register here A new approach

To address this growing problem, Chainguard today announced Wolfi, a new community-based Linux (de)distribution. It combines aspects of existing container base images with default security measures that will include Sigstore-powered software signatures, provenance, and software bills of materials (SBOM).

The company is also announcing Chainguard Academy, the first free, open source and interactive educational platform designed for software supply chain security. Additionally, its Chainguard Enforce platform is now generally available.

“One of the biggest threats to securing the software supply chain is the way we build software today,” said Dan Lorenc, founder and CEO of Chainguard. "The tools we use to build software weren't designed for the speed and scale of their use, resulting in a clunky architecture that's easy for bad actors to exploit or tamper with."

Governments around the world are asking questions and demanding guarantees on software. And while vendors — existing and new — are providing tools, they're failing to address the deeper problem: "The need for a fundamental change in the way software is built," Lorenc said.

But First: Identify the Software Supply Chain

The latest IBM 2022 Cost of a Data Breach report provided one of the first insights into supply chain security, revealing that almost a fifth of organizations suffered a breach due of a software supply chain compromise.

One of the biggest hurdles is simply recognizing and identifying all the different ways malicious actors can exploit the software supply chain, Norton said.

When people talk about "software supply chain security", they often think of exploiting vulnerabilities in open source software such as Log4Shell. But that's only part of the attack surface.

A few supply chain attack vectors identified by Norton include misconfigurations and hard-coded secrets in the infrastructure as code (IaC) and misconfiguration in the CI/CD pipeline that can expose sensitive information or can be used as an entry point for malicious attacks. activity. Another threat is the compromise of developer credentials, often due to poor governance or failure to adhere to the principles of least privilege.

Then there are hacking tools and techniques that are readily available on the web. "Advanced skills aren't necessary for someone to break your company's software supply chain," Norton said.

The good news is that with the increase in cases of exploits - and, with them, growing awareness - additional software...