Share this article on:
Anthony McMahon from GitLab outlines why organisations must “gain control and visibility” of their growing software supply chains.
The proliferation of high-profile security attacks has turned the spotlight on securing the software supply chain, across development, deployment, and operations, particularly in the era of cloud-native applications in enterprises.
While organisations are increasingly adopting open-source tools and a speed-of-innovation culture to gain competitive advantage, this has brought with it further challenges and trade-offs around application security.
Recent guidelines from the Australian Cyber Security Centre (ACSC) highlighted the need for development teams to identify a secure software design and follow secure programming practices during software development activities.
Open-source technologies and software code repositories are undoubtedly lowering organisations’ ‘entry point’ for innovation and accelerating time to market.
To address the inherent security risks, organisations need to enable IT teams to gain effective control and visibility of their growing software supply chains, by combining the functionality of a modern DevSecOps platform with holistic security programs.
Assess your security hygiene and consider new attack surfaces
The ACSC encourages organisations to use threat modelling and other secure design techniques to ensure that threats to software and mitigations to those threats are identified and accounted for.
Each layer that developers add to an application increases the attack surface and opens new intrusion points while the application code itself often contains many vulnerabilities.
Many attacks may exploit organisations’ lack of focus on basic security hygiene (think patches and passwords) and revisit exploits that have been around for a long time. While this recommendation may not in itself be anything new, the scope of the effort may be.
Organisations need to review security policies and consider potential attack surfaces such as software development toolchains, containers, orchestrators, and infrastructure as code.
Automate scanning, policies, and compliance
Many organisations might be surprised at the scope of DevOps tools to do the heavy lifting of testing and compliance.
Recent DevSecOps innovations and the ever-growing application security and scanning resources can be used effectively by small startups as well as mid-size companies and enterprises to automate tasks such as code scanning, as well as encourage closer collaboration between senior IT executives, developers and security professionals, because they are simpler to use than multiple point solutions.
One challenge is getting developers and security colleagues to collaborate more closely and embed security tools, process and culture within DevSecOps. GitLab’s 2021 DevSecOps Survey indicates organisations still struggle with determining who is in charge of security, with 31 per cent of security professionals stating they were fully responsible for it, but almost as many – 28 per cent – reporting that everyone was responsible.
Getting security and efficiency gains from automation depends on applying it in standardised, controlled CI processes. Automating CI/CD is one vehicle to apply common controls that include things like segregation of incompatible duties, identity and access approval controls, configuration management and change control and security testing.
Automating policy execution through these common controls ensures more consistent compliance while also reducing the audit surface.
Protect application infrastructures
Modern applications rely on much more than the code itself. Consider cloud-native infrastructure such as Docker and Kubernetes environments. Apply container scanning and use SAST to scan Helm charts.
Consider using container host security and container network security monitoring and protection.
When used in the CI environment, open source tools can alert and prevent build servers from doing unexpected things such as modifying scheduled tasks and OS configuration in general.
Dev and security teams also need to check more obscure things like the container registry. Who at your organisation has write access? Compromising a single person could compromise the container registry, and result (via pipelines) in vulnerabilities in multiple software projects.
Iterate with continuous assessment and improvement
Securing the modern software supply chain will require teams to revisit the process continuously, making it even more challenging to juggle complex toolchains and security integrations.
Modern application development processes demand a new way of thinking, tooling the software factory itself for security and controls, rather than inspecting code after it is built.
With the proliferation of high-profile hacks, data breaches and ransomware, organisations are feeling insecure and the need to protect their reputation, and their customers' data, like never before.
Adopting proactive application security measures, combined with the simplicity of a single DevSecOps platform, will lead to a more secure development life cycle model and a higher likelihood of mitigating security vulnerabilities.
Anthony McMahon is GitLab’s vice-president for Asia-Pacific & Japan with over 20 years’ experience in the technology industry in Asia. He has previously held executive leadership roles at SAP and HP.