The now infamous SolarWinds hack is the largest cybersecurity attack in history leaving hundreds of millions at risk, and unfortunately there are signs that the wave of copycat crimes are already underway. The culprits perpetrating these breaches attack what is now widely acknowledged as the most vulnerable and least protected cybersecurity attack surface within enterprises: the software supply chain and the source code that powers it.
What is the Software Supply Chain & Why It’s So Scary
No (sane) person builds software from scratch any more. Even the best applications fall on a spectacular spectrum of elegant to Frankensteined amalgamation of open source, third party software mixed with a splash of original code and IP (if you’re lucky). The parts you didn’t create — often the bulk of the code — is where you have to carefully take heed: trust but verify.
A supply chain attack, also called a value-chain or third-party attack, happens when a bad actor infiltrates your organization via code you didn’t create — either the open source or the third party software that are embedded into your applications and systems and, most importantly, have access to your data. Herein lies the rub: intelligent hackers always attack the weakest link. You could be spending millions to protect your apps, systems and network, but are your software suppliers? What about the open source you use? How would you even know? This is exactly why the supply chains can be so scary. The good news is that they don’t have to be.
Securing Your Software Supply Chain: What You Can Do Easily & Do Now
Luckily there are a few relatively simple and straightforward steps you can take to protect your organization from supply chain attacks:
- Know Your Software BOM. Make sure you know and trust your software suppliers – in other words, know your software bill of materials (BOM). Know what software is being deployed in your organization, ensure that it only comes from trusted sources, and make sure software patches are all up-to-date, especially ones relating to cybersecurity.
- Hold Your Software Suppliers Accountable. You’re only as strong as your weakest link, the SolarWinds hack proved that in spades. Your software suppliers are obligated to ensure that their software development processes are safe and secure, and they should be able to prove it to you. Ask your key software vendors to provide regular updates regarding the state of their software security practices and immediate communications about any possible breaches. It’s your right to know, exercise it.
- Protect Your Pipeline. Software build pipelines are a crucial part of your SDLC and as such are critically important to protect. If a bad actor gets access to your pipeline, they essentially have access to your crown jewel code and data. The havoc they can wreak is many-fold: adding malicious code, stealing your IP and gaining access to multiple code repositories and environments can inflict irreparable harm. The National Cyber Security Center (NCSC) guidance on securing the build and deployment pipeline has some great, actionable steps you can take to secure your own pipelines.
- Secure Your Source Code. Proactively secure your own software development processes, and it all starts with your source code and all the parts that comprise it. Shift your security left as much as possible to securing your source code from the start – it’s far easier and far less damaging to capture security vulnerabilities early and often. It can be 60 times more expensive to find and fix security vulnerabilities in production versus early in the SDLC — and that’s just the dollar cost, the risk to your business in terms of reputation and trust can be immeasurable. Finding vulnerabilities such as secrets in code, live tokens, PII, and misconfigured repository configurations are just a few of the critical areas of risk to remediate *before* committing code are relatively easy fixes that can be made with the right tools in place that will pay off in immeasurable ways.
How Can BluBracket Help?
It’s this last point – Securing Your Source Code – where we can and want to help, and we can do it rapidly and at no cost to you. BluBracket is 100% focused on addressing the risks in your source code. It’s our entire team’s goal to end the threats posed by source code as quickly and as effectively as possible. To get you on the road to securing your Software Supply Chain we’re offering free access to our BluBracket Community Edition and CodeInsights — you can onboard in minutes and start identifying and eliminating source code threats immediately.