Effective software security activities for managing supply chain risks

Software Bill of Materials activities are on the rise

Software Bill of Materials activities increased by 367% over the last two years according to BSIMM12. The data shows an increase in capabilities focused on inventorying software, including creating a software Bill of Materials (SBOM); understanding how the software was built, configured, and deployed; and increasing an organization’s ability to redeploy based on security telemetry. It’s clear that many organizations have taken to heart the need for a comprehensive and up-to-date SBOM. In addition to the SBOM activity, there are over a dozen supply chain security activities that also show an increase.

Recommendations to manage supply chain risk

While an SBOM is at the heart of securing your software chain, there is much more to it than a simple inventory. The U.S. National Institute of Standards and Technology (NIST) has developed a Cyber Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework that provides recommendations on how to manage supply chain risk. They include that organizations acquiring software should implement a comprehensive risk management program that includes a formal C-SCRM program. The program should be integrated across the organization, identify and manage critical software components and suppliers, include a plan for the entire life cycle, and more. As a part of the risk management plan, NIST also recommends the following steps:

• Identify key business goals and processes that drive revenue
• Create an inventory of current and future software licenses
• Research and document how software licenses are supported by its supplier
• Understand how your software supports key processes
• Create a plan to address software for which a vulnerability is disclosed

As the saying goes, prevention is better than cure. To that end, NIST also provides recommendations for how best to prevent supply chain attacks.

• Ask your software vendors if they adhere to secure software development life cycle (SDLC) practices, disclose vulnerabilities, offer patch management, and maintain a list of approved supplier list for products
• Request a software component inventory with software purchased

Since supply chain attacks can involve disparate software from multiple third-party sources that you might not be familiar with, malicious code within the software can easily go undetected.

Supply chain risk management actions to be taken now

Mandates are being introduced globally to enforce software supply chain security, but they are still in the very early stages of being defined. There are a lot of unknowns that will be determined in the coming months and years. The only thing we can be sure of is that change is coming, and we as part of the software security community need to be prepared to adapt our roadmaps and security initiatives accordingly. Nevertheless, there are actions that you can take right now to combat supply chain attacks.

Implementing a comprehensive C-SCRM program as outlined by NIST requires four essential components.

• A supply chain risk management roadmap. The first step in your software supply chain transformation journey should be to develop a plan to get to your desired state of security. This entails an evaluation of your software supply chain’s people, processes, and technology. This evaluation should be ideally performed by third-party experts who can utilize their supply chain security experience and “fresh eyes” to evaluate and establish a multiyear strategy to reduce risk in your supply chain.
• Software composition analysis (SCA). SCA and binary analysis are at the heart of any supply chain risk management solution. But not all SCA products are created equal. A complete SCA solution utilizes
  • Automated open source detection that goes beyond relying solely on declared dependencies so that all open source is discovered, and a complete inventory is compiled
  • Detailed security and compliance reporting plus regular insights on component quality, ensuring that you are always using high-quality components that are actively maintained by a robust open source community
  • The ability to automatically enforce open source governance, aligned with your unique risk tolerance, with limited input and action from development and operations teams

•  
  • A method to inspect a binary container image for open source components beyond what is disclosed in manifests, such as a Docker file
  • Analysis of applications and containers to discover security concerns including known and unknown vulnerabilities
    

• Malicious code detection. Are you confident that your system is free of malicious code? Malicious code can remain dormant for months or even years until it is activated. This type of code can hide beneath the surface of your software and is usually extremely hard to detect with traditional scanning tools. Security experts utilize a combination of intensive manual scanning and automated detection to find suspicious constructs in production binaries, configurations, and data. Experts also provide advice on appropriate methods of malicious code management and vulnerability remediation strategies.
• Cloud and container security. BSIMM12 showed a significant increase in new observations of activities related to securing the cloud and containers over the past two years. Research indicates that organizations are developing their own capabilities for managing cloud security and evaluating their shared responsibility models. The steps you can take to secure your infrastructure include
  • Define your cloud/container strategy and build a roadmap. Determine what strategies, capabilities, and activities your company should use to support an efficient cloud security program. This entails gaining visibility into your current cloud adoption state and defining an achievable future state by utilizing a proven cloud security reference architecture and maturity assessment framework.
  • Conduct an architecture risk assessment to examine your potential attack surface, determine where security controls are insufficient, and get recommendations from experts on how to improve them. A risk assessment also identifies technical risks that can lead to business risks, prioritizes the risks based on their likelihood of occurrence, and prescribes mitigation tasks.
  • Ensure a secure cloud migration with assessments both before and after the migration. This includes building and deploying cloud applications using secure reference implementations with baseline security controls, and also performing static application security testing, software composition analysis, and dynamic analysis.
  • Secure your containers. Identify and mitigate cloud container risks with a thorough vulnerability assessment, penetration testing, architectural risk / threat models, and DevSecOps considerations.
  • Optimize and manage the cloud. This entails performing regular cloud security posture management health checks for configurations, policies, controls, and integrations. It also includes remediating, investigating, and responding to alerts and incidents as necessary.
  • Prioritize and implement actions to improve threat posture and address gaps.

Supply chain security is really the ultimate test for your SDLC. You simply cannot build security into your supply chain with a weak SDLC. Without a secure SDLC, the information in your SBOM and data such as vulnerabilities, bugs, and flaws in your code and software system design will be revealed to your customers. The executive order and other supply chain security mandates can be the spark that ignites DevSecOps activities and propels you to embrace a security culture that permeates your SDLC and entire supply chain.

Finding the right people with the required expertise and experience in implementing the right solution, and setting, managing, and enforcing the appropriate risk management policies can be a daunting task, especially with the security resources shortage we are currently facing. Synopsys offers Black Duck®, a market-leading SCA solution, as well as hundreds of security services consultants with decades of experience in supply chain security.