Enterprise software development has graduated from the “waterfall” framework of development and operations – and has become less linear, more complex and, in several ways, more difficult to secure. While contemporary software supply chain practices allow developers to manage that complexity and deliver software efficiently at scale, unaddressed gaps and vulnerabilities within the process continue to be exploited by threat actors.
That’s why security measures within every step of software development and supply chain must take top priority as attacks continue to be directed to the application layer — and often succeed in penetrating the network and executing malicious instructions.
Why Does the Software Supply Chain Pose Risks to the Business?
As most developers utilize open-source software package repositories, such as NPM (Node Package Manager) or PyPI (Python Package Index), to build and develop new applications, this software supply chain acts as a vehicle for carrying those assets into various applications used within organizations. If production code is infected with malware or vulnerabilities that were inadvertently sourced from the repository, it may contaminate all organizations that come in contact with it — whether by using the code already in their software development life cycle or by launching presumed trusted applications from third parties who failed to validate their own code. Therefore, the implementation of strict security measures, validation checks, and continuous monitoring of open-source code and development repositories is a requirement in any modern organization.
Risks in Software Development Life Cycle (SDLC)
The SDLC encompasses the initial design, development, testing and deployment of an application. The actions within the internal software development lifecycle often fall short in implementing critical security policies, processes, and controls, hence many attacks may not be detected by security systems.
That’s why it’s vital to establish security practices within the SDLC, from training developers on secure coding practices using open source libraries to factoring in detection capabilities including static analysis, dynamic analysis, software composition analysis and manual penetration testing. Implementing a secure SDLC process ensures that the development effort is protected by these activities, augmenting code reviews and infrastructure analysis.
How to Prepare Your Company for Choosing a Solution
The security controls necessary to prevent and mitigate SDLC and supply chain cyber threats require stringent software installation and pathway tracking practices for all code and applications within your enterprise. However, to establish an IT infrastructure that allows those processes to be effective, it’s vital to determine the state of your current security measures and address any gaps. This assessment may be influenced by the security maturity of your enterprise, which factors in skills, processes and technologies available.
Determining where your organization stands in the security maturity model will allow you to leverage a more comprehensive approach to cybersecurity. From defining manual processes within your organization to reviewing current compliance and audit standing, getting a full inventory of your enterprise’s security will prepare your company for choosing a solution. To establish your organization’s security maturity level, and its ability to withstand a software supply chain attack, consider the following factors:
- Team awareness and security training
Understanding your teams’ readiness and maturity must first begin by assessing awareness of key elements for successfully securing SDLC processes. Specifically, seek to gain understanding of teams’ awareness of vulnerabilities and malware in third party and open source components, the controls necessary to mitigate those risks, and ways in which they would validate those controls. With this assessment complete, it becomes easier to lay the groundwork for strategic and specific training recommendations for teams involved in any software development processes.
- Current operations and support
Consider that many successful software development processes maintain separate teams for development and QA with defined roles and documented framework for defining tasks. Similarly, these teams maintain well-established role-based access control with clearly defined permissions. If current operations are not defined with clearly delineated responsibilities, software development teams risk unauthorized access to the source code, unauthorized access to production systems, expansion of the attack surface, or malware injection through unauthorized changes or additions.
- SDLC security measures
Once an organization has established separation of duty and control for each of its teams, the SDLC should require systems that provide source code control, bug tracking, test tracking and management sign-off tracking for key milestones. Additionally, teams should be required to conduct backups and to maintain offsite storage and disaster recovery policies. The SDLC should also require the use of only stable versions of open source libraries that have been curated by trusted third parties or scanned using an application security testing tool. As code is developed, organizations should host code reviews–manual or automated–for all check-ins before becoming part of the build. Vulnerability mitigations, as provided by the programming language and the operating system, should be investigated and enabled to reduce impact of security related bugs. Nearing the end of the cycle, release candidates and associated bills of materials should be scanned to ensure complete and clean third party and open source components, and then tested, including penetration testing, in a staging environment identical to the production environment. Finally, all In-house built software should be digitally signed to provide its users with the package identity and integrity verification mechanism.
All developers, QA engineers and devops personnel should complete regular security training with an emphasis on containers, malware and secure SDLC processes. Management should be committed to ensuring training opportunities, as well as provide sign-off for any changes to access, roles, release to staging and releases to production.
- SOC gaps and threat visibility
When assessing overall team maturity, it’s also important to understand any potential weaknesses in your SOC team should there be an incident. The most common gaps in SOC effectiveness include automation and orchestration, asset discovery and inventory, and manual event correlation. Understanding where these potential holes are allows teams to more effectively shore up defenses and improve threat visibility.
- Incident Response (IR) times
According to the SANS 2019 Incident Response survey, 52.6% of organizations had a mean time to detect (MTTD) of less than 24 hours, while 81.4% had an MTTD of 30 days or less.
Once an incident is detected, 67% of organizations report a mean time to respond (MTTR) of less than 24 hours, with that number increasing to 95.8% when measuring an MTTR of less than 30 days. However, according to the Verizon Data Breach Investigations Report, 56% of breaches took months or longer to discover at all. That’s an incredible amount of time for the bad guys to be inside the perimeter while preparing to exfiltrate data. Improving detection and response and response rates can go a long way to minimizing risk or potential damage.
- Performance in IT audits and compliance
While audits can be uncomfortable because they force organizations to self-examine and assess any flaws in IT infrastructure, they are important because they help organizations stay ahead of insider threats, security breaches, and other cyberattacks that put corporate security, reputation, and finances at risk. Third-party software platforms can help aggregate information and continuously monitor corporate IT security strategies. Before conducting an audit, stakeholders should agree on who owns responsibility for these audits, whether or not they should be automated or conducted manually, and the frequency with which they are conducted. Similarly, there should be agreement on security audit standards or as it applies to compliance regulations, whether from a broad security perspective or more sector-specific view, such as HIPPA for healthcare, PCI DSS for credit cards, etc. Moreover, implementing best practices, including establishing baseline metrics, and having a checklist for expectations, will go a long way to establishing a clear picture of the strengths and weaknesses of enterprise IT security – and any implications that may also have on the SDLC.
Once you determine the maturity level of your enterprise, the next steps include improving appropriate measurements and metrics. Further automation, implementing new security guidelines and advancing the activities within the existing framework will allow your enterprise to progress its security measures and close gaps in the SDLC and supply chain operations.