SAN FRANCISCO — While there’s no such thing as perfect security, there are at least five steps security teams can take to more effectively secure their supply chains.
Rao Lakkakula, senior director of security engineering at JP Morgan Chase, offered such a five-step approach at an April 24 RSA session on securing the software supply chain.
Lakkakula pointed out that the industry has seen large supply chain incidents for the past three years, starting with SolarWinds in 2020, and continuing on with Log4Shell in 2021 and the most recent 3CX case which attacked telecom devices. They are so prevalent that Gartner estimates that by 2025, 45% of organizations worldwide would have experienced attacks on their software supply chain — a three-fold increase from 2021.
“The difference here is that as opposed to being software vulnerabilities in code as in the past, they are intended to be bad,” Lakkakula said. “In many of these cases they are attacking the supply chain of the supplier and injecting malicious code.”
Click here for all of SC Media's coverage from the RSA Conference 2023
In his talk, Lakkakula offered these five steps for security teams to consider:
- Understand the company’s software processes. Security teams need to identify the entry points into the enterprise where the software gets ingested. Whether it’s open source, vendor software, or third-party developed software, the security team has to catalog all the software and know the source it’s coming from.
- Monitor the ingestion processes. Validate the security of the source code of the providers and the dependencies of the open source and closed source components. Start by scanning the code for known vulnerabilities. Security teams also really need to consider sourcing high-quality valid versions of software code from fewer suppliers. This will reduce risk when an event like Log4Shell happens and a company gets stuck with dozens of software packages that are vulnerable that they have a hard time deleting.
- Build a comprehensive software bill of materials. In building as asset inventory develop a comprehensive map of all the company’s assets. This includes all the apps, dependencies, where the software is deployed, where the software comes from.
- Secure the internal CI/CD pipeline. Protect the source code repositories and protect the company’s bill system. Security teams need to focus on the integrity of the code’s source, how the software gets developed, and how it’s deployed.
- Automate vulnerability monitoring. Continuously monitor for new vulnerabilities to patch deployed software. Security teams can leverage the asset map they’ve developed in creating the SBOM.
Lakkakula admitted that all companies are different, and all of these steps may overwhelm some people. He said security teams shouldn’t feel alone — there are a lot of organizations that can help with these complex supply chain issues. Security pros can start by checking out the following resources:
- Securing the Software Supply Chain: Recommended Practices Guide for Developers, NSA, CISA and ODNI
- Secure Software Development Framework, NIST
- Software Supply Chain Best Practices, Cloud Native Computing Foundation
- Supply Chain Levels for Software Artifacts, Linux Foundation
