What Is A Software Supply Chain?

What Is A Software Supply Chain?

A Software Supply Chain is the sum total of all the code, people, systems, and processes that contribute to development and delivery of software artifacts, both inside and outside of an organization. The technology elements of the software supply chain fall into two main groups. 

Software Supply Chain Elements: Applications

The elements of an organization’s applications are its own source code, open source dependencies (such as libraries, frameworks, and modules), and software artifacts.

Software Supply Chain Elements: DevOps Toolchain

Applications that are built and deployed according to modern devops processes involve code repositories, CI/CD tooling, artifact repositories, secret managers, and Infrastructure-as-Code-Management (IaCM) pipelines.

‍

Why is the software supply chain the target of cyberattacks?

The software supply chain is an expansive, complex, and highly connected system of technology, people, and processes. Each of its different entities– from devops tools to software artifacts– is vulnerable to attack in a myriad of ways, making the whole supply chain challenging to secure.

Software Supply Chain Attacks

Software supply chain attacks are increasing in number and in sophistication. According to Gartner Research, a software supply chain attack is the act of compromising software or one of its dependencies at any stage throughout its development, delivery and usage. Although the precise attack vector may vary in each case, the attacker usually gains unauthorized access to development environments and infrastructure including version control systems, artifact registries, open-source repositories, continuous integration pipelines, build servers or application servers. This allows the attacker to modify source code, scripts and packages, and establish back doors to steal data from the victim’s environment. Attacks are not limited to external actors; they can come from insider threats as well. (Source: Gartner | How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks - 2021)

Application Vulnerabilities

When it comes to security vulnerabilities in applications themselves, organizations’ codebases often contain known vulnerabilities whose detection and remediation are the main focus of DevSecOps and shift-left security practices. Modern applications are built with an increasing number of open source software dependencies, and over 80% of a codebase’s vulnerabilities are introduced through OSS dependencies. OSS is a significant security risk for organizations.

DevOps Toolchain Vulnerabilities

Though much of the supply chain security focus is on OSS dependencies, the elements of the DevOps toolchain are vulnerable and are also targets of supply chain attacks. Without proper code repo security, malicious code could be injected. Attackers could compromise poorly configured build infrastructure to use unauthorized source code, and a bad artifact could be introduced to a registry without the proper controls in place.

Guidance For Securing The Software Supply Chain

What does it take to secure the software supply chain? Initial efforts have been focused on establishing visibility and control of open source software (OSS) dependencies, which requires generating and managing Software Bills of Material (SBOMs). DevOps toolchain elements such as code repositories, CI/CD tooling, and artifact repositories all need to be scanned and assessed against industry-standard risk and compliance frameworks like CIS (Center for Internet Security) Supply Chain Security Benchmark, OWASP (Open Worldwide Application Security Project) Top-10 Security Risks for CI/CD.

‍

Learn about how Harness Software Supply Chain Assurance (SSCA) module prevents software supply chain attacks.

‍