Developers Can Still Improve Software Supply Chain Security

Developers are increasingly incorporating security testing into the development pipeline [1], but there is still room for improvement among companies [1]. This article explores the current state of software supply chain security and highlights the need for better security measures.

Description

According to Snyk’s annual State of Software Supply Chain Security report [1], only 40% of firms have deployed security checks into the integrated development environment (IDE) and 48% as part of the code committing stage [1]. Additionally, 40% of companies do not use any supply chain technologies such as static analysis security tools (SAST) or software composition analysis (SCA) tools [1]. To address these gaps [2], Randall Degges [1], head of developer relations at Snyk [1], emphasizes the importance of conducting three types of scans: scanning custom code with SAST [1], checking open source dependencies with an SCA tool [1], and analyzing infrastructure files for insecure configuration [1]. The Log4J library vulnerabilities have prompted more companies to pay attention to software security [1], with 94% making significant changes to their approach to application security [1]. This includes increasing scanning frequency [1], adopting new tools [1], and providing additional security training for developers [1]. Degges compares the impact of the Log4J vulnerability to Edward Snowden’s release of classified documents [1], stating that it has driven significant security-focused behavior in the industry [1].

Open source software has become a recognized supply chain risk [3], with the potential for malicious actors to exploit vulnerabilities [3]. In response to this [3], various solutions and frameworks have emerged to provide security checkpoints throughout the software development lifecycle [3]. One notable framework is the Supply Chain Levels for Software Artifacts (SLSA) [3], which offers actionable and scalable security measures [3]. SLSA focuses on observability [3], ensuring visibility and traceability of software components [3]. It also addresses the issue of transitive dependencies [3], which can be exploited by attackers [3]. SLSA-compliant provenance and tools that surface transitive dependencies can proactively prevent these attacks [3]. Hermetic builds [3], which meet SLSA’s highest standard [3], ensure the use of verified dependencies and packages [3]. Overall, SLSA provides a comprehensive approach to supply chain security in software development [3].

Companies often face challenges with releasing insecure software into production across various applications and systems [2]. Lack of support stack and qualified application security engineers hinder scaling services [2]. To address these issues [2] [3], automated software security scanning in the software development lifecycle (SDLC) and DevSecOps CI/CD pipelines is crucial [2]. Shifting software security “left” from the point of inception and automating static and dynamic tools driven by a threat model are effective strategies [2]. Ensuring test coverage for the entire application and preventing vulnerabilities like code/sql/javascript injection require enforcing policies and integrating security tools into the development process and automated testing [2].

Conclusion

The Log4J vulnerability has highlighted the need for improved software supply chain security. Companies are now making significant changes to their approach to application security [1], increasing scanning frequency [1], adopting new tools [1], and providing additional security training for developers [1]. Frameworks like SLSA offer actionable and scalable security measures [3], addressing the risks associated with open source software and transitive dependencies. Automated software security scanning and integrating security tools into the development process are crucial for preventing insecure software releases. Moving forward, it is essential for companies to prioritize supply chain security and implement robust measures to protect against vulnerabilities and malicious attacks.

References

[1] https://www.darkreading.com/application-security/despite-post-log4j-security-gains-developers-can-still-improve
[2] https://devops.stackexchange.com/questions/2983/software-security-testing-in-a-devsecops-pipeline
[3] https://www.activestate.com/blog/how-slsa-prevents-software-supply-chain-attacks/