A software supply chain attack happens when an attacker enters and modifies software in the complicated software development supply chain to imperil a target farther down on the chain by injecting their malicious code. These inserts can be employed to further modify code by getting system permissions or to directly deliver a malicious payload or backdoor package. Software supply chain attacks exploit established channels of system verification to acquire privileged access to systems and to compromise big networks and databases. 

By software supply chain, we basically mean everything that goes into making a software product, including all the components, packages and repositories. Modern software products comprise a huge number of dependencies on other code and therefore tracking down which vulnerabilities compromise which software products and tools can be a challenging technical effort.  

Companies must therefore understand all the components in software or packages they are consuming. Today, a large part of the software is open-source, and it is difficult to know precisely who has contributed to a piece of code and where that code has come from before it ends up in an enterprise environment. Supply chain software security deals with all of that, and because there is so much software out there, most of the security processes need to be automated. 

Breaches Can Happen Due To Lag In Secure Software Supply Chain 

There have been many breaches so far due to problems or mistakes in software supply chain security.  For instance, NotPetya and the Equifax data breach in 2017, affected millions of users. It showed the potential scale of software supply chain attacks and their strategic utility for nefarious cyber activities.

Many times, companies also don’t disclose in time that their software or network has been compromised, putting their entire ecosystem of customers and partners at risk. For instance, Kingslayer Windows log management software that was compromised in 2017, had the Chinese attackers target the Windows IT admin application to inject malicious code under a valid signature, which could diffuse either by updating or downloading the application. The attack compromised systems across the globe, including colleges, defence companies, government organisations, banks, IT and telecom firms, and other businesses. 

This happened as the malware installed a secondary package which could upload and download files, execute malicious programs, and run arbitrary shell commands. The attack was found when a defence contractor found a piece of software in their environment pinging an IP address which was a known bad IP. Now, this could have been prevented if there was vigilant software supply chain security and management in place. The good news is that now this is coming to life with advancements in DevSecOps and Gitops. 

You Want To Know Everything In Your Software Environment

As a developer, you want to know what’s in your environment and discover any software problems that could be a possible security issue such as a license issue or a dependency vulnerability, and patch it as soon as possible. Containers are an essential part of the software supply chain and make patching a smooth task. Containers make it easy for you to rebuild, test then redeploy into your environment without actually having any downtime.

If companies are proactive in this regard, they can ensure optimal security at the container level with automated code scanning and patching. Of course many times, it’s easier said than done, as software pipelines can become very complex with time. But proactive patching can address the majority of security issues in time before any major data breach happens.

Most open-source projects do not follow stringent organisational structures and instead, depend on self-organisation and a collaborative approach to drive software innovation and development. That can be a major issue in ensuring a proper software security supply chain.

Now with GitOps, teams in an operating model can not only define their infrastructure as code but also make deployments and changes to it by submitting pull requests that people can review and approve collectively. GitOps has made it ubiquitous to have continuous integration on a continuous delivery server when developing your application. This helps in embedding DevSecOps practices when teams are working on building their products.

Tools For Secure Software Supply Chain On GitHub

While many companies use Github for hosting their code, there’s a feature called dependency graph which can do the scanning for security analysis, including information about the licenses and security alerts for vulnerable dependencies. For example, if a team adds a new dependency that has a vulnerability or there’s a new vulnerability discovered on one of their existing dependencies, they get an alert, which can be resolved with patching. 

Github also has an automated feature, where an automated bot called Dependabot sends users an automated pull request to suggest that a user has upgraded to a patched version for vulnerable dependencies. Many of Github’s enterprise users are utilising Dependabot and the GitHub dependency graph to know which dependencies they use, their vulnerabilities, how to patch them and return to normal work. Users can discover vulnerabilities across a codebase with CodeQL, Github’s semantic code analysis engine, which lets users query code as though it were data.