06/23/2022 | News release | Distributed by Public on 06/23/2022 12:47
The Open Source Security Foundation (OSSF) has recently come up with a number of guidelines for organizations concerned with the threat of attack vectors originating from their software supply chain.
The OSSF is a project of The Linux Foundation whose mission is "to inspire and enable the community to secure the open source software we all depend on." They recognize the growing threat that bad actors pose to the users of open source software generally (in other words, every developer on the planet), and security-conscious enterprises specifically. And they also recognize that the key difference compared to traditional open source vulnerability exploits is the scale: a single attack on a software vendor's supply chain can potentially impact hundreds or even thousands of their downstream customers.
The problem is essentially twofold:
The result is that both software vendors and their customers have been blindsided by a novel set of exploits originating in their software supply chain. But just because it's new doesn't mean there aren't a set of best practices you can follow to help keep your organization protected. This blog post discusses some of the top recommendations from the OSSF and traditional industries that can help you mitigate emerging software supply chain threats.
The poster child of this new kind of supply chain attack is SolarWinds whose build infrastructure was compromised in December 2020. As a result, SolarWinds distributed the attacker's malware within their Orion product to thousands of customers, which included Fortune 100 enterprises as well as the US Government. Because the Orion security product was run at a high level of trust, end users were essentially caught with their pants down.
Since then, a growing number of software vendors have also been targeted in similar ways. The difficulty lies in the breadth and depth of an ISV's supply chain, which stretches from the open source language dependencies they import in order to build their offerings through to the distribution channel for their end product.
Securing every step along the way is almost a fool's game given the complex web of relationships that must be trusted/verified starting from the very first imported open source language package, which can have multiple dependencies, each of which, in turn, may have multiple transitive dependencies, each of which may rely on OS-level dependencies, and so on down the rabbit hole. And of course, each imported open source component was built by multiple third party developers, all of whom must also be trusted/verified.
Given this intertwined web of complexity, it's no wonder that the vast majority of organizations choose to acknowledge and accept the risk inherent in their supply chain rather than try to tackle it head on. But all is not hopeless. Traditional industries have long wrestled with their own supply chains and have much to teach software vendors. While the nuances of an automotive or food services supply chain differ greatly from that of software, some of the key best practices are widely applicable, including:
The software supply chain for most software vendors looks similar to:
Credit: security.googleblog.comPotential threats exist at every point, but whether they apply to your organization's SDLC will be made clear only after performing an end-to-end threat model to identify key weaknesses. In general, however, the ingestion process is typically the weakest link in every organization's supply chain. Unfortunately, it can also be one of the most challenging areas to secure. As a result, it may be more expedient to start with easy wins, which can be had by securing your source control, binary repository and developer workstations using traditional security practices.
When it comes to securing your supply chain, the OSSF recommends starting by:
These three initiatives represent the low hanging fruit that every organization can do to get started securing their software supply chain.
The ActiveState Platform is another initiative you can easily adopt to help secure your open source supply chain because it integrates seamlessly with most enterprise SDLCs. By adopting the Platform, you can ensure your developers are always working with dependencies built from source code using a secure cross-platform build service that always generates reproducible artifacts that can be deployed together without conflicts.
You can try the ActiveState Platform by signing up for a free account using your email or GitHub credentials.
Experienced Product Marketer and Product Manager with a demonstrated history of success in the computer software industry. Strong skills in Product Lifecycle Management, Pragmatic Marketing methods, Enterprise Software, Software as a Service (SaaS), Agile Methodologies, Customer Relationship Management (CRM), and Go-to-market Strategy.