Don’t fall prey to cyberattacks. Secure your software trail.
When you go to make dinner, how do you know the ingredients are fresh? When you buy a new car, how do you know it’s safe to drive? In both cases, you feel confident because manufacturers and regulatory bodies spend a lot of time and money ensuring that the components in their supply chain are thoroughly tested and certified, minimizing risk to customers. But what about software? How do you know that the applications and code you run in your organization—your software supply chain—are of good quality and free from tampering? More often than not, you don’t.
This is not an abstract problem. Perhaps the best known supply-chain attack happened last year to Solarwinds, an IT management software vendor, where nation-state actors injected malicious software into the official builds of the open-source software that the company used as part of its software. More recently, another IT management software provider, Kaseya, had to shut down its service after threat actors executed ransomware attacks against its users.
Even if your organization is lucky enough never to suffer a cyberattack, there are rising expectations around supply-chain security as the issue is covered almost daily by the media. Most recently, the White House released an executive order requiring organizations that do business with the federal government to maintain certain standards of software security, including how you secure your software supply chain.
Security in practice requires the ability to make changes quickly so that we can fix problems before they can be exploited.
Securing your software supply chain is tricky though. Unlike car parts, which don’t change very often, software components are constantly updated and changed. In fact, security in practice requires the ability to make changes quickly so that we can fix problems before they can be exploited. Also, while most car parts come from known manufacturers, software components have many levels of subcomponents, many of which come from open-source or third-party dependencies.
Couple that with the fact that these days, nearly every business is a software business. The pace of digitization accelerated nearly 7X globally during the pandemic, as huge portions of the economy moved to digital channels. This means enterprises across all sectors are dealing with the reality that software is intrinsic to their business. You don’t have to be a bank or the US government to be at risk. If you use software as part of your product offering, your users could be at risk, and that means the White House executive order deserves your attention.
Securing Your Software Supply Chain
Table of Contents
Fortunately, there is an emerging set of best practices that Google and other software companies have developed in collaboration with the U.S. government to help you deliver more secure software. The key is to be able to ensure a ‘certified and known’ good version of the software at any given time, down to the very smallest component code. This requires strict controls and checkpoints to capture and verify a chain of trust, also known as provenance, about the origins and path of every component that enters your software.
Internally, Google architected a system years ago that ensures a best-of-its-kind solution for managing a secure software supply chain that we’ve shared externally in blog posts and in our Building Secure and Reliable Systems book. Building on this internal expertise, including developer automation tools and security products, we’ve identified four key tactics that any enterprise can use to achieve better security for the software you create and run. And as an added bonus, following these precepts will not only help improve your software security, but also your developers’ efficacy and velocity—so your business can be more competitive.
1) Think beyond the firewall
Enterprises can no longer think of their software as a castle surrounded by a moat with crocodiles. Traditional approaches to security that think only about the network perimeter are no longer adequate. You need to look for threats and weaknesses at every point in your software’s lifecycle, starting from when it first gets created.
First, ensure that you have a trusted repository of all your source code, including any open-source software you use. From there, implement a trusted build service to ensure that all the code you run is trusted and has been validated. These steps will help you secure the software development process, creating the foundation to reduce the risk of attacks.
2) Standardize policies across environments
Once you have a process in place to secure your software development process, you need to create easily and scalably enforceable policies that span the entire software lifecycle, starting from code going all the way through when your software reaches end of life. For example, you might want policies that ensure code was built from a specified source repository and that proper tests were run, using the right tools and processes.
You then must uniformly enforce those policies everywhere you have software running, for instance in hybrid or multi-cloud deployments. Too often we see errors creep in when organizations try to replicate and reconcile policies between on-premises and cloud environments, leaving gaps for attackers. Also try to avoid translating rules and policies between different policy languages, and use options that are environment-agnostic.
You can either choose to manage these policies internally or you can choose fully managed services and technologies that provide a uniform policy language. Furthermore, some providers can give you pre-built templates for these policies to run through common policy scenarios.
3) Secure your open-source dependencies
The use of open-source software by enterprises is growing—especially among visionary organizations. Back in 2018, a report by Google Cloud’s DORA (DevOps Research Agency) found that high performing enterprises were 1.75 times more likely to use open source extensively, and were looking to grow their open-source footprint. And because using open-source software dramatically reduces the time it takes to get software to production, this only fuels its growth further.
However, open source can also increase how much third-party software you need to manage to ensure the safety of the software supply chain. It is not surprising that 2020 saw a 430% surge in open-source supply chain attacks, and why an estimated 84% of commercial code bases have at least one open-source vulnerability.
At Google we not only embrace open-source software, we also contribute to some of the most widely used open-source projects. To help improve the security of open source, we recently launched Open Source Insights—an interactive visualization site for exploring open-source software packages, and worked with industry partners to develop Open Source Scorecards.
Open Source Insights is unique in that it provides a transitive dependency graph, with continuously updated security advisory, license, and other data across multiple languages, all in one place. In conjunction with Open Source Scorecards, developers can use Open Source Insights to make better choices across millions of open-source packages. We have several additional efforts in progress for open source, e.g., oss-fuzz, osv, and sigstore that are worth following.
4) Keep up with security standards
Finally, don’t try to do everything yourself. In 2020, we helped found the Open Source Security Foundation to make progress in this domain. Some of these efforts are inspired by some of our own internal secure software supply-chain development capabilities that we’ve been using for years, and that are mandatory for all of Google’s production workloads. This work has led to the Supply-chain Levels for Software Artifacts (SLSA) framework, pronounced “salsa”, helping to ensure the integrity of software artifacts throughout the software supply chain. We also spearhead other standards creation efforts working with NIST and others. Learning about these standards and evaluating their applicability for your industry is a key part of establishing and demonstrating a secure software supply chain.
In short, the need to secure your software supply chain has never been more critical. The good news is that you can incorporate this practice into improving developer velocity by using open-source software and running a continuously updating supply chain.
To learn more about the issues and how to get started, join us at our upcoming Secure Software Supply Chain Day.