The Software supply chain has taken center stage in the fight against cyber attacks and breaches. Savvy threat actors are leveraging gaps in the software supply chain to mount an unprecedented number of attacks.
Organizations developing software are adopting automated DevOps and CI/CD pipeline solutions to speed up the development and testing all the way to deployment. Software is being rapidly assembled from a series of building blocks. Some of these are created in-house, while others are available for use off the shelf. The resulting code can be a combination of open source code, in-house code and third-party code in order to deliver finished applications much faster.
The need for speed is driving a demand for ways to deliver better quality code that is secure. While traditional application security tools are effective in protecting various facets of code that may be poised to be placed into the CI/CD pipeline, much of the historical code present in prior versions of the code may contain a wide set of risks that are not readily observable with these tools. Newer techniques have evolved that identify various facets of risk in code and in fact help with more than just alerting, they help with remediation and mitigation by giving developers and code engineers the ability to take action in the moment, either during development or deployment.
Casey Bisson, Head of Product and Developer Relations at BluBracket presented a session titled Most overlooked techniques to close security gaps in the software supply chain to cover some of the common areas to address in order to improve code security.
Here are some of the most overlooked gaps in the software supply chain leading to security breaches:
- Teams can lose sight of what’s in the code.
Security teams can end up focusing on what is code doing vs. what’s in the code. Most solutions just look at what code does when security breaches occur. Errors due to breach of trust, encryption error, SQL injection attacks and cross site scripting attacks are all examples of incidents that happen when code executes – or does what it does.
- Organizations forget that code can contain high risk content
High risk content is made up of secrets like passwords, API tokens, credentials and certificates that may be inadvertently left in code. Very few solutions are actually scanning software source code to identify these risks in code. Usually source code for prior versions of applications remain in git repositories which can be scanned for such items. Attackers can find these and mount an asynchronous attack. Additionally, PII can inadvertently be exposed in code as well.
- Relying too much on yesterday’s security tools to stay safe
AppSec teams feel that using SAST and DAST tools will keep them protected. Additionally tools that provide visibility into software composition and open source dependencies are useful since they can provide a view into external dependency risks. However the most complete view of risk comes from consolidating risks from internally created source code with those from external sources.
- Not taking a consolidated view of the complete software supply chain
So what makes up the real software supply chain? a consolidated view of the software supply chain that includes risks related to external dependencies, code, source code management, the CI/CD pipeline orchestration process, as well as an understanding of who has access to the code and where it’s going. This is important to know if code and secrets are leaking to public or personal repositories outside the enterprise in violation of security policies and best practice.
The BluBracket code security solution
BluBracket delivers a code security solution that delivers protection across the complete code supply chain that links together the external supply chain, the internal supply chain and events that make up the unexpected supply chain. Examples of the unexpected supply chain include code leaks and leaks containing secrets.
BluBracket helps deliver code security by providing an automated solution that answers the three most critical supply chain questions
BluBracket is the most complete code security solution that enables developers to effectively identify and remediate risks within their software development environment across code repositories, infrastructure as code and cloud environments. With BluBracket, organizations can shift left by enabling developers to address security at the very start of the development lifecycle.
For more information on the BluBracket code security solution, please visit https://blubracket.com/products/enterprise-edition/
To get started for free with BluBracket please visit https://blubracket.com/contact/get-started/