Harness SCS Now Features Repo Security Posture Management (RSPM)

Securing the software supply chain has rapidly become one of the toughest security challenges that software organizations face. Early approaches focused mainly on mitigating open source software (OSS) risks; modern applications are being built using scores of OSS dependencies, which have come to account for approximately 80% of known vulnerabilities introduced into applications’ codebases. A more comprehensive feature set that also includes security posture management of the DevOps toolchain is now being demanded from supply chain security solutions.

We first introduced the Harness SCS module (Originally named Harness Software Supply Chain Assurance (SSCA)) as a solution for mitigating the risk of unforeseen OSS dependency vulnerabilities, through governance using SBOMs (Software Bill of Materials) and through governance of artifact promotions using SLSA (Supply Chain Levels for Software Artifacts) build attestations. Equipped with Harness SCS's detailed real-time remediation tracking, customers could be ready to quickly handle zero-day vulnerabilities or showstopper compliance issues related to an OSS library.

With OSS dependencies as our starting point in the software supply chain, we then turned our attention to code repositories. Code repos contain many of an organization’s software “crown jewels”, including application logic and, more recently, infrastructure configurations, and thus are increasingly targeted by attackers. Repos commonly lack proper identity and access management, proper configuration, and the self-managed or open source ones have inherent vulnerabilities as tools. Inadequate access controls on a code repository risk allowing unauthorized users to introduce vulnerabilities or malicious code into an application’s codebase. Similarly, a misconfigured build server might execute untrusted, leading to a compromised build. In a deployment pipeline, improper configurations can result in the deployment of unverified or malicious software artifacts to production environments.

As the vast majority of organizations are setting their sights set on industry-standard risk frameworks, such as CIS Software Supply Chain Security Benchmark and OWASP Top-10 for CI/CD Security Risks, they are struggling with identifying and resolving the gaps highlighted in those frameworks with respect to their repo security posture.

‍

Introducing Repo Security Posture Management with Harness SCS

We’re thrilled to announce that Harness SCS now enables you to identify misconfigurations in your code repositories with confidence– starting with automated scans that pinpoint security issues– and comply with industry standards. Here are some more details about how it works.

First, users integrate their code repos with Harness SCS through the simple installation of an app that facilitates the connection between the repo and the SCS module. The initial release provides coverage for GitHub code repos with coverage for other providers coming soon.

Harness SCS then performs a comprehensive scan of the target code repo, building a detailed assessment of the repo’s security posture against CIS Software Supply Chain Security Benchmark and OWASP TOP-10 CI/CD Security Risks frameworks. 

‍

‍

The summary dashboard (above), along with the detailed lists of rule violations and their respective severity levels in the ‘Risk & Compliance’ tab (shown below) helps security and DevOps teams hone in on issues and their root causes.

In the ‘Risk & Compliance’ view below, SCS shows the results of a repo’s security posture scan against the CIS Software Supply Chain Security Benchmark. Here, we can see that the target repo fails to meet several critical- and high-severity security criteria. For example, SCS shows that the repo isn’t properly configured to prevent branch deletion. The repo also fails to require the verification of signed commits of new code changes prior to merging. In this case, the repo’s security settings need to be changed.

‍

‍

The SCS module’s RSPM feature set also includes a listing of the target repo’s dependencies. Each dependency is listed along with its name, version, license, package manager, PURL, and supplier. The listing is easily filterable by these parameters.

Harness SCS also displays the results of security scans run on the code from the target repo. Running application security tests requires a Harness STO (Security Scanning Orchestration) license. Harness STO natively integrates Semgrep SAST scanner, Gitleaks Secret Detection, and OSV and OWASP Dependency Check for SCA scanning.

Given the rise in number and sophistication of attacks on software supply chains, it is critical that software organizations adopt tools that allow them to rapidly assess and strengthen the security posture of their code repositories, as well as other key elements of the software supply chain. Harness SCS now offers an RSPM feature set that can be easily integrated with all major Git providers to enable fast identification and remediation of improper access controls, misconfigurations and vulnerabilities.

Want to learn more about what Harness SCS can do for your software supply chain security posture? Sign up for a demo today!