The SolarWinds and Colonial Pipeline security breaches are two (of many) incidents that have made supply chain attacks go mainstream. The primary challenge for businesses is that supply chain defense isn’t easy given the hundreds, if not thousands of entry points that need to be monitored along the way. But there are best practices that can help reduce the risk of supply chain attacks when coupled with a well-planned strategy for working with suppliers and vendors.
Taking the broad view of supply chains
A supply chain encompasses a broad range of relationships – it’s not just what we normally think of as getting physical goods or components from A to B. Every company has a supply chain even if it may not carry that label, because it includes all of the partnership and business relationships an enterprise might have. In fact, a supply chain can refer to any product (software or hardware) and services that are used to develop a company’s own product or service. You want to make sure that partner’s systems and those that have access to your network, are properly secured to reduce the risk of compromise and outages.
When we talk about software as part of the supply chain, that could mean a software development team working with third parties who submit code to your system. It could also mean buying IT products or code from third party sources that are integrated into the code base.
Once you see the “big picture” of your supply chain, you can set targeted supply chain security goals: assure that every product coming in – software you buy and use, code that someone else has developed, or services used – is secure and following good security practices.
Whether you use code that’s been developed by internal teams or from external sources, it’s important to make sure the code management process is validated. It’s especially important when working with sources outside the enterprise to keep signing keys and certificates secure to ensure authenticity.
Here are three key questions you should be able to answer about managing source code and software products (spoiler: the answer to all three should be “yes”). Vetting these answers carefully will help ensure source code will not create a vulnerability once it’s deployed.
- Is there a source code management system (SCM) in place? A proper SCM will make sure code versions are properly managed and that every person who signs in to the system is authenticated with the appropriate permissions. An SCM will timestamp code and log its movements so that it cannot be maliciously manipulated at any point without detection. The SCM must be well managed, to establish a chain of custody to create a sense of trust for the code.
- Are code commits and code properly signed? Signing should be used to protect all types of software modules and executables, including software drivers, applications, installation files, scripts and firmware modules in vehicles or industrial systems. Code signing and code commit signing should be a required capability of your SCM system. Once a system is in place, ensure that all your developers are properly set up to sign their code commits. Here is a quick tutorial on how to sign commits in Github.
- Is there a software “bill-of-materials” (SBOM) that identifies components and where they came from? In a time when developers are very busy and there is so much open-source code available, it is critical to know where your code is coming from. Not all open-source code is created equal and attackers have taken advantage of known vulnerabilities. If open-source code is being used, it should be disclosed. Identifying open-source components will allow you to more quickly address any vulnerabilities that may arise in the future, whether that is code you manage or from purchased software. Given that this is such a concern, new government software development requirements are focusing specifically on SBOM to reduce security risk.
Prepare for a wave of regulation in 2022
If you can provide detailed answers to most of the questions above, you already have a head start on preparing to meet new secure software supply chain guidelines in response to the Biden administration’s executive orders for companies that provide software to the US government. They call for all forms of code to be protected from unauthorized access and tampering. Phishing-resistant MFA and signing code commits are important security controls to improve supply chain security posture and meet compliance needs. Providing more visibility into what components are being used and how code is securely managed will improve overall security and increase the level of trust with users.
To learn more about how to secure your supply chain, register for Yubico’s upcoming webinar on March 3, “Securing America’s Supply Chain.” Additionally, you can find more information on how YubiKeys are FIPS compliant here.