Baked-In Security: How DevSecOps Can Protect Software Supply Chains
Learn how to integrate DevSecOps into your software supply chain to stay ahead of mounting global threats.
As global conflicts threaten to spill over into cyberspace, companies must consider the security of their software supply chains. Mike Lieberman, Co-Founder and CTO of Kusari, explores how DevSecOps, Zero Trust, and open-source tools can help defend against increasingly sophisticated attacks.
The world, it seems, is teetering on the edge of multiple regional crises. Whether it’s escalating tensions in the Middle East, an increase in hostility from North Korea, or the deepening consequences of Russia’s war with Ukraine, there’s little doubt that 2024 will be defined by mounting geopolitical uncertainty.
These hotspots of instability may feel very far away, but with just a few lines of malicious code, they can hit home devastatingly quickly. As Google observed in its most recent Cybersecurity Forecast, “major global conflicts [will] continue into next year, [so] be prepared for an uptick in disruptive hacktivism.”
Political cyber attacks are just the tip of the iceberg. We are also seeing cybercrime rise with threats like cryptocurrency mining malware injected into otherwise benign software.
For businesses in the United States, this is a problem. Research indicates that American companies simply don’t take cybersecurity as seriously as counterparts in other countries; only 52% of US firms say digital defense is a priority, versus a global average of 73%.
This has to change. Business leaders must recognize that in an increasingly tech-centric world, cyber threats are going to grow in complexity and sophistication to levels that mirror our growing reliance on complex and sophisticated software. As such, cybersecurity can no longer be an afterthought but a central thread woven through every facet of IT operations. Getting this right means embracing an innovative, multidisciplinary digital approach that can root out vulnerabilities before real damage is done.
Baked-in Security with DevSecOps
The push to integrate security into the development and operations of software, known as DevSecOps, has advanced significantly in recent years, and for a good reason: by combining cross-functional teams, the software development life cycle (SDLC) can be enhanced, automated, and accelerated.
Yet DevSecOps still isn’t mainstream. The root causes are more complex than a decades-old perception that security hinders development speed. There are financial constraints, as comprehensive DevSecOps requires investment in tools, training, and process changes. Additionally, there is a mismatch in incentives and priorities between executives focused on profit and costs versus security teams primarily concerned with risks versus developers wanting to release features. This can lead to a lack of buy-in, which, in turn, often results in cyber defenses being tacked on at the end of the process as a gate, as opposed to being embedded from the start.
However, there are now established practices to build security into software as the development progresses. The key is removing outdated legacy application security testing (AST) tools that hinder the SDLC, replacing them with more modern systems with a high degree of automation, and integrating well with existing developer workflows. This allows for seamless vulnerability scanning and analysis of internal code and third-party dependencies. Another important technique is the codification of security policies, such as access control policies, into reusable and testable assets, known as ‘policy as code.’ By integrating these policy tests into the development pipeline, teams can automatically verify that new code adheres to enterprise security standards.
The shift from gating function to full integration improves security, user experience, and development pace. Fundamentally, by streamlining risk management and helping eliminate bugs early, DevSecOps allows for more efficient security testing, ultimately enabling a more effortless digital transformation for the end user.
Maintaining Integrity Throughout the Supply Chain
The movement towards DevSecOps has happened parallel to the mounting threat to software supply chains.
Targeting the tools provided by trusted third-party vendors, supply chain attacks create a weakness at one part of the digital assembly line that filters down to programs further along the SDLC. One recent example was the breach against software designer CyberLink, carried out by North Korea–backed hackers, that later infiltrated customer systems in multiple countries, including the US and Canada.
This sort of incident isn’t a rarity. In late 2020, the notorious SolarWinds hack put supply chain intrusions on the map, with cybercriminals installing backdoors in a popular IT management platform to launch subsequent attacks on dozens of downstream customers. Since then, the threat has grown significantly: between 2022 and 2023, 61% of US businesses were affected by a supply chain assault, with half of IT professionals stating that they believe the danger posed by such attacks is “high” or “extreme.”
By bringing security into the SDLC earlier, software supply chain risks can be mitigated as the integrity of components and dependencies is continually scrutinized before a product goes to market. An effective DevSecOps team will consider potential security issues from the beginning of the development process – the planning stage – and maintain that focus during sourcing, building, testing, deployment, and monitoring.
However, achieving true transparency and control within the supply chain requires more than just internal vigilance. Emerging open-source tools, like Graph for Understanding Artifact Composition (GUAC), promise to play a crucial role. Acting as a central hub, aggregating and mapping software security metadata, GUAC gives DevSecOps personnel greater visibility into their software components.
See More: How to Bridge the Divide Between DevOps and AppSec
Embrace Zero Trust
With DevSecOps spanning the length and breadth of the software supply chain, the risk of an attack is reduced. However, weaknesses will remain without robust frameworks to govern this security-meets-development-and-operations approach.
That’s why many organizations are embracing Zero Trust: a model that requires all users, whether within or outside the network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted access to applications and data. Historically, network security has focused on perimeter-based controls, like firewalls, to prevent access to the network. By adopting this zero-trust mentality, companies can safeguard their data and digital assets by enabling precise access control, limiting the blast radius in case of a breach, and providing visibility into network interactions to detect suspicious activity.
A “never trust, always verify” policy doesn’t have to be limited to devices and users – it can be extended to the SDLC through open specifications like SLSA (supply-chain levels for software artifacts). SLSA provides a framework for associating claims made by a trusted identity about critical software development practices, such as how the software was built, with the software artifacts themselves. In other words, it provides a way to trace how software was developed, built, and published.
For example, an SLSA-enabled system could restrict a package from running in production environments unless its artifacts are accompanied by an attestation asserting it has passed through required security scans. With software supply chain details and security posture codified and standardized, organizations can apply Zero Trust to validate and authorize critical phases of the SDLC.
Identities and claims can be confirmed through signatures and managed via open-source tools like GUAC, enabling organizations to verify supply chain integrity and significantly reduce the attack surface. By extending Zero Trust to cover more of the modern, dynamic software ecosystem, threats targeting third-party component vulnerabilities can be better anticipated and mitigated. All of this raises security confidence across the supply chain.
Taking Security Out of Its Silo
As geopolitical tensions rise in 2024, businesses can no longer afford to view cybersecurity as a secondary concern. Supply chain attacks and sophisticated nation-state hackers have made it clear that digital threats to the systems that run countries and the global economy are becoming more elaborate. Companies must respond with an equally multifaceted approach centered around DevSecOps.
By taking security out of its silo and baking it into development from day one, organizations can move faster while also identifying vulnerabilities early. This proactive security culture must stretch across the entire software supply chain, leveraging innovative open-source tools to apply zero-trust principles to third-party components.
Between mounting global uncertainty and the accelerating pace of the digital economy, the margin for error has never been smaller. Attacks that once took weeks or months to materialize can now be launched in minutes. In an age of rising cyber risks, integrating security across the entire development lifecycle is no longer an option – it’s an imperative.
How can businesses embrace DevSecOps and Zero Trust principles? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON DEVSECOPS
- DevSecOps Accelerates Incident Detection, Response Efforts
- Using a Least Privilege Framework to Boost DevSecOps
- A Realistic Approach to Adopting DevSecOps and Shift-Left Practices
- Unlocking a More Secure Cloud: An Introduction to Security as Code (SaC)
- Based on the Solarwinds Cyberattack, Rethinking DevSecOps To Meet the Dynamic Threat Landscape
