Securing your supply chain
April 26, 2022
Supply chain security is at the front of every CISOs mind. In a world where systems are interconnected, the Cloud is expanding seemingly without limits, and open source is everywhere, we are left to figure out how to secure an environment where so much is out of our control. We live in a world where product delivery is closing in on real-time, so we have to embrace the interconnectivity and open source, yet find a way to secure it.
We talk a lot about supply chain security from a risk perspective, but we sometimes forget to look at how that risk was introduced. Securing the source code has to be a major priority for a cybersecurity program. With the shift to the cloud of our source code repositories, it can sometimes be easy to forget to enforce our security policies or assume the cloud provider handles the security of the source code.
There are three ways we can improve our source code security. First is to ensure we have proper identity management in place to control access to source code and enforce policies like password complexity and multi-factor authentication. We need to make sure that we have MFA in place to protect against password compromise via stolen credentials or successful phishing attempts. Next, we need to make sure we audit access to the source code. This would include access review for abnormal access and for employees who have left the company or transferred to other roles. Finally, we should perform manual and automated code reviews for diffs to source code. Checks should be built into the SDLC to ensure malicious code hasn’t been inserted into the source code.
One of the first concepts learned in security training is a concept called defense in depth. At its simplest, it means that we should not trust any single security control. There should always be backups, and backups for that backup. A security check can always fail by being implemented incorrectly or having a zero-day vulnerability, so there should always be another level of protection. We use this method every day when driving a vehicle. The car is tested to ensure an impact will cause the metal to bend in a way to protect the passengers. The airbags will deploy to help absorb the impact to the passengers. Seatbelts are used to restrain passengers and prevent injuries. An everyday example of defense in depth, and the same should be applied in our cybersecurity practice. An easy example would be a virtual machine in the cloud. We set restrictions to the ports accessible to the outside world. On the virtual machine, anti-malware should be installed to try and stop the spread of viruses. On the network level, the virtual machine should be limited in scope to other resources it can talk to in order to limit propagation. A defense in depth strategy can help limit the exposure and spread of an attack.
We hear the term ‘shift left’ a lot in the security and development world. What this really means is, we need to find ways to perform testing and incorporate security earlier in the development lifecycle instead of waiting until runtime. This strategy saves cycles of back and forth between teams and environments to push out a fix. This saves both time and money, along with reducing risk of finding issues once they reach production.
We can make our best effort to find supply chain vulnerabilities before production, but nothing is ever guaranteed. We have to have visibility into the activity of our environment–we need to be able to see deviations from normal activity. When a user starts logging into servers that they don’t normally use, that should raise an alert. When machines start talking to different machines or to unusual IPs outbound, that should raise an alert. Preventing supply chain security issues is important, but being able to monitor them is equally if not more important.
Supply chain issues will continue to be with us for the foreseeable future. As companies seek quicker ways to develop software and systems become more interconnected and in the Cloud, it’s a risk security teams will have to mitigate. The job of security teams isn’t to eliminate risks, but to also ensure that they are informed about risk and find ways to mitigate through policies, procedures and monitoring. Supply chain security should be thought of the same way as other risks– with proper planning and analysis, they can be understood and managed properly.