Harness Delivers End-to-End Software Supply Chain Security with SCS Module

Modern software supply chains are extremely complex, comprising not only everything that goes into an application, but also the entire CI/CD toolchain that delivers the application from developers to customers. Attackers love this complexity. They see each link in this chain as an attack vector, with the potential to compromise vulnerable elements without detection. Software supply chain attacks are on the rise in number and in sophistication and Gartner Research estimates that by 2025, at least 45% of enterprise organizations will have experienced at least one software supply chain attack.

In recent years, we’ve witnessed a series of high-profile attacks that emerged in the application space, targeting open source software dependencies. The log4j vulnerability is arguably the most notorious example of this type of breach, as it impacted tens of thousands of organizations and allowed attackers to execute commands remotely through a shell. 

Attacks like the one that compromised SolarWinds targeted the build systems where attackers exploited misconfigured CI/CD tools to replace legitimate source code with new files, giving them backdoor access that compromised tens of thousands of SolarWinds’ customers.

‍

To protect against sophisticated supply chain threats, we need a comprehensive supply chain security solution that can not only effectively block zero day vulnerabilities linked to OSS dependencies, but which can also prevent attackers from compromising code repositories, CI/CD tools, and artifact registries by identifying and eliminating security vulnerabilities and misconfigurations.

Announcing CI/CD Security Posture Management With Harness Supply Chain Security (SCS)

We routinely hear from customers with clear goals of bringing their software supply chains in line with the leading risk and compliance frameworks, such as CIS, OWASP Top-10, NIST, etc. that achieving their objectives is anything but straightforward. Fortunately, Harness has a deep and detailed understanding of the software supply chain, and since last year’s introduction of integrated features to govern open source software (OSS) dependencies using SBOMs and artifact promotion with SLSA build attestations, we’ve expanded our focus to CI/CD pipelines for end-to-end software supply chain security. 

The Harness Supply Chain Security (SCS) module is designed to prevent attacks similar to the CodeCov and Solarwinds hacks in different attacks paths by rapidly identifying security gaps and aligning code repos, CI/CD tools, and artifact registries with OWASP Top-10 CI/CD Security Risks, CIS Supply Chain Security Benchmarks and other essential risk frameworks. In addition to the Harness platform, SCS integrates with GitHub and other major 3rd party developer platforms.

Preventing Attacks And Achieving Continuous Software Supply Chain GRC With Harness SCS

Overall, when it comes to achieving continuous supply chain GRC (governance, risk management & compliance), there are three main stages. The first is focused on software artifact governance, where organizations define and enforce policies to control the use of OSS dependencies using SBOMs (software bill of materials) and artifact promotion using SLSA attestations. 

The second aspect, which is the focus of this blog– involves understanding supply chain security posture through pinpointing CI/CD toolchain risks and bringing code repos, CI and CD tools, and artifact repositories into compliance with major risk frameworks. Through the Supply Chain Security module, Harness makes this possible not only for Harness CR, CI, and CD, but also for 3rd party developer platforms such as GitHub.

Finally, continuous supply chain GRC relies on a readiness to quickly remediate any risk and compliance issues, including the removal of non-compliant OSS dependencies and blocking of dependencies impacted by zero-day vulnerabilities.

‍

‍

Harness SCS: A Look At CI/CD Security Posture Management 

The first step in building a detailed picture of your software supply chain security posture is to evaluate it against extensive risk and compliance rulesets. In Harness SCS, CIS Supply Chain Security Benchmark and OWASP Top 10 Security Risks for CI/CD and OSS are listed in detail in the ‘Rule Definitions’ section (shown below) of the SCS module’s compliance feature section.

‍

Next, running evaluations of your CI/CD pipelines’ security postures against these rulesets enables you to  pinpoint vulnerabilities and other security gaps, such as pipeline misconfigurations. The results of these checks are presented in the SCS module’s compliance dashboard, which displays rule failures by severity and evaluation trends over time. The bottom of the dashboard highlights rules that fail most often. In this particular example, this list includes 73 counts of failure because of pipelines being ‘vulnerable to command injection’.

‍

By clicking on a specific evaluation status, you can access detailed information about the rule, including the reason for its failure and general remediation steps to help address the issue identified.

‍

‍

Conclusion

Attacks on software supply chains will only continue to intensify, so it is critical to have the tools in place to rapidly assess and remediate areas of vulnerability across repos, CI/CD tooling, registries, software artifacts, and other elements in the chain. If you’re a CISO or a compliance leader, you know first-hand that bringing your software supply chains into compliance can be a convoluted process. The good news is that Harness SCS now gives you the tools and workflows to enable fast identification and remediation of improper CI/CD access controls, misconfigurations and vulnerabilities. These capabilities make software supply chain GRC substantially easier for you!

‍

Want to learn more about what Harness SCS can do for your software supply chain security posture? Sign up for a demo!

‍

‍