Improving software supply chain security for cloud applications and workloads

The cloud has revolutionized the way businesses operate, providing a scalable and cost-effective solution for storing, processing, and sharing data. However, with this growth has come new security concerns, particularly around the cloud software supply chain. This blog post articulates some of the security risks inherent within the cloud software supply chain and provides recommendations to mitigate these risks.

Understanding the cloud software supply chain

The cloud software supply chain comprises the processes and systems used to develop, distribute, and manage software in a cloud computing environment. Key aspects of cloud software supply chain security include

• The infrastructure, platform resources, or third-party managed services (e.g., cloud provider PaaS or SaaS) used to build an IT environment, or the open source or commercial software platforms and services
• The tooling and processes involved in the development or deployment of an application throughout the software development life cycle (SDLC)
• The open source software (OSS) libraries and tools that application developers leverage when developing applications
• The third-party components and services used in the creation, distribution, and maintenance of cloud software, as well as the collaboration and communication tools used by teams and stakeholders involved in the process
• The people performing the various tasks of software creation, including software developers, cloud service providers, system administrators, security professionals, and many others

The cloud software supply chain is designed to quickly deliver code and applications to a cloud execution environment using components and capabilities including

• Code libraries and container images to help accelerate the development of new features and tools
• Infrastructure-as-code (IaC) components including open source templates
• DevOps pipelines that can help quickly deploy code from the developer’s laptop to production environments with limited manual steps or intervention

Why cloud software supply chain security is important

Security is a vital part of the cloud software supply chain for several reasons.

• Protecting sensitive data. The cloud is often used to store and process sensitive information, such as personal data, financial information, and intellectual property. Ensuring the security of the cloud software supply chain is critical for protecting this sensitive information from unauthorized access and breaches.
• Maintaining system reliability. Security is critical for ensuring the reliability and stability of cloud systems. A security breach or vulnerability in the software supply chain can cause widespread disruption, affecting multiple systems and potentially leading to data loss or theft.
• Preventing attacks. The cloud software supply chain is a potential target for attackers, who may seek to exploit vulnerabilities or access sensitive information. Ensuring the security of the software supply chain helps prevent attacks and protects against potential damage.
• Meeting compliance requirements. Many industries and governments have regulations and standards for data protection and security. Ensuring the security of the cloud software supply chain can help organizations meet these compliance requirements and avoid potential fines and penalties.
• Building trust with customers. The security of the cloud software supply chain is crucial for building trust with customers and partners. A breach or security incident can damage an organization’s reputation and reduce customer trust. By prioritizing the security of the cloud software supply chain, organizations can protect their reputation and build trust with customers.

The consequences of a software supply chain attack can be devastating. They include

• Threat actors gaining direct access to privileged credentials, proprietary codebases, and sensitive data
• Infrastructure being used for cryptomining, ransomware, and more
• Data exfiltration and IP loss

Ensuring the security and reliability of the cloud software supply chain, protecting sensitive information, and maintaining the smooth operation of cloud systems has become a critical goal for organizations.

Recommended approaches to secure cloud software supply chain

There are several approaches organizations can take to secure the cloud software supply chain.

Adopt secure design development practices

Secure design development practices include

• Scan any open source libraries and packages used with the applications
• Generate a software Bill of Material (SBOM) for components of the supply chain
• Ensure security of IaC components
  • Scan for misconfigurations
  • Automate IaC security scanning
  • Implement continuous security into the continuous integration and deployment (CI/CD) pipeline
  • Avoid hard-coded secrets
• Prevent IaC code tampering
  • Store IaC scripts in a version control system such as Git and use branch protection rules to prevent accidental or malicious changes
  • Ensure that only authorized users have access to the version control system and IaC scripts, and restrict access to sensitive data such as credentials and secrets
  • Sign the IaC scripts using a digital signature to validate their authenticity and prevent modification
  • Use a CI/CD pipeline to automatically build, test, and deploy IaC scripts, and integrate security testing into the pipeline
  • Regularly monitor the deployment of IaC scripts, track changes, and maintain audit logs to detect and investigate any tampering
• Detect and respond
  • Create a practice for converting IaC manifests to detect rules within the SIEM and SOAR systems
  • Create operational playbooks to react to discrepancies between the IaC manifests and runtime environments
• Identify and correct cloud drift
  • Integrate IaC manifests with cloud security posture management (CSPM) or cloud-native application protection platform (CNAPP) tools
  • Ensure the security of container images
  • Ensure proper open source software usage due diligence

Other recommendations include ensuring that networking and infrastructure security teams learn how to read and potentially write IaC manifests. A vulnerability management system should update components, deploy them automatically through IaC manifests, and reduce the risk rating according to compensating controls / the vulnerability’s applicability. And be sure to restrict access to environments.

Secure application development pipelines

Application development pipelines can be secured using a variety of techniques and practices.

• Input validation. Validate all inputs to prevent code injection attacks and ensure the pipeline is not vulnerable to malicious payloads.
• Code signing. Sign the code with a digital signature to verify its authenticity and prevent tampering.
• Secrets management. Store and manage secrets, such as credentials and API keys, securely and separately from the code.
• Vulnerability scanning. Scan for vulnerabilities in dependencies and third-party libraries, and use a vulnerability management system to track and remediate vulnerabilities.
• Monitoring and auditing. Monitor the pipeline for unauthorized access and suspicious activity, and maintain audit logs to investigate incidents.

You should consider these best practices.

• Improve third-party risk management of software suppliers and third-party providers. It is important to understand who is involved in the software supply chain and have a clear understanding of their security policies, practices, and systems. Regular audits and assessments should be conducted to ensure their security standards are in line.
• Ensure software is up-to-date. Regular software updates are essential for fixing bugs and vulnerabilities. It is important to implement a robust patch management process to ensure all systems are kept up-to-date.
• Implement mature access controls. Ensure that only authorized individuals have access to the cloud software and data. This includes access controls for the cloud providers and third-party providers.
• Encrypt sensitive data. Ensure that all sensitive data is encrypted, both at rest and in transit, to prevent unauthorized access.
• Leverage multifactor authentication. Implement multifactor authentication for all cloud accounts and systems to reduce the risk of unauthorized access.
• Conduct regular security assessments. Regular security assessments should be conducted to identify potential vulnerabilities and threats.
• Monitor activity logs. Monitoring activity logs is critical for detecting and responding to security incidents. Regularly review logs for any suspicious activity, and respond promptly to any potential threats.

Improve cloud monitoring and observability

Monitor your cloud to ensure you are always aware its status as well as any changes.

• Define and document monitoring requirements
• Use a centralized logging solution including centralizing logs from cloud resources into a centralized logging solution (e.g. Amazon cloudWatch Logs or Google Cloud Logging) to aggregate and analyze logs
• Define and monitor KPIs and performance metrics
• Implement automated alerts to notify of critical events or incidents, and use alerts to trigger actions such as scaling resources or restarting services
• Monitor security events including those related to application security, data security, identity and access management, and network security
• Monitor network traffic to detect potential security threats and ensure that traffic is flowing as expected
• Use dashboards and reports to visualize performance and health metrics, and to gain insights into the cloud environment
• Use tracing and correlation tools including correlating logs, application performance management (APM), automated correlation, and distributed tracing
• Leverage automation and machine learning capabilities including anomaly detection, predictive analytics, and automated alerting
• Continuously evaluate and improve cloud monitoring and observability practices and make improvements as needed to effectively manage the cloud environment
• Track cloud security Incidents including establishing mature incident response processes, investigating incidents, recording and reporting incidents, and learning from incidents
• Perform periodic assessments to understand the security posture of the cloud software supply chain