How to Plug Common Supply Chain Vulnerabilities
From a software development life cycle (SDLC) perspective, security is the most crucial aspect of businesses, as security vulnerabilities pose risks for large and user-facing organizations. As a result, enterprises invest heavily in making software security a priority.
Being a privacy-centric enterprise or team can add exceptional benefits as a whole. Customers value the software security features the enterprise is building and enhancing just as much as the usability. But achieving the milestone needs careful consideration with strict implications on the SDLC security best practices and guidelines.
The SDLC contains checkpoints for security to guard the confidentiality, availability, and integrity of the overall system and the data within it. The SDLC merged with the OWASP software maturity model (OWASP SAMM) can help formulate and implement an enterprise-wide strategic roadmap for application security.
What Is the Software Supply Chain?
The software supply chain is a discipline that encompasses teams(both internal and external), methodologies, tools, and best practices for bringing a software artifact live from design to deployment.
In recent times most innovative and disruptive services and digital experiences developed using open source software by remote teams.
Open source libraries attract developers with their shiny features enabling engineers to bump up the development by reducing the time to market and cost implications.
But flaws and complications emerge in using open source software due to a lack of control over the source code and feature releases over time with patches, and they come with a risk of open source supply chain attacks.
Inadequately developed code with hardcoded secrets and loosely architected infrastructure is prone to frequent attacks.
Most Popular Vulnerabilities
Software vulnerabilities are prevalent in organizations of all levels. Budding companies are more likely to fall victim to such attacks as they focus on bringing new features to the market under tight deadlines. Unfortunately, these exposures don’t make it to the headlines to bring awareness to the tech community. Let’s discuss a few of the most widespread and impactful historical incidents.
At one point in time, the breaking news of the attack against SolarWinds shook the tech world. The event became an excellent example of the dangers of inadequate security practices.
The catastrophe emerged when an intern failed to set up a complex password. Attackers snugged into the SolarWinds system through a weak password combination using a method called password spraying and managed to push malware via a backdoor onto all dependent enterprises. The supply chain attack was identity-based which updated the SolarWinds update server.
Enforcing strong password policies on the system with additional security layers such as MFA could have evaded the disaster.
A similar incident occurred at the Vietnam government certification authority. Attackers bypassed the website firewall and inserted additional installer files onto the VGCA installer apps, which are customer-facing applications offered by VGCA for the digital signature offering.
The overall activity was successful because attackers found a gap in the website design as the overall design was a little flawed. The backdoor attack was avoidable with strict firewall restrictions, access controls, and privileged permissions.
For another example of how vulnerabilities can cripple a system, let’s look at Bitcoins. Bitcoins can be exposed easily and stolen if the service provider fails to maintain security guidelines.
Copay, a Bitcoin wallet, suffered a supply chain attack when a mobile application that hosts the bitcoin wallet had a bug. The bug in the architecture came through the package vulnerability of an open source Javascript tool node package manager (NPM). This bugged version was made public and allowed the hacker to alter the apps to load refactored code and gain access to the JS library.
The bug could have been detected and remediated with vulnerability scanning tools in the version control and deployment pipeline.
Moving Parts for Managing the Software Supply Chain
A well-articulated blueprint that follows solid documentation, cybersecurity, risk remediation, and management best practices eliminates potential vulnerabilities and boosts software supply chain security. Organizations must adapt “secure by design” engineering principles and a shift-left strategy for establishing a comprehensive DevSecOps toolchain.
Stage 1: Secure Coding Literacy
Primarily, enterprises should adopt exclusive learning and development programs on security and risk management. As development teams rush towards improving their technical skill, a common goal that enterprises should share is ways to help developers become security champions.
Application vulnerability assessments and security courses are needed to keep the engineers aligned with business goals.
Stage 2: Threat Modeling
Identifying security risks way before the development and operations catch up is essential. This stage ensures overall design and development strategy aligns with organizational security standards.
Threat modeling presents organizations with a structured approach to identify, analyze, evaluate and mitigate risks at the early stages of development. Threat models show promise concerning security by allowing developers and architects to think from the attacker’s standpoint, allowing them to plan and design a secure system.
<?xml version="1.0" encoding="utf-8"?>
<KnowledgeBase xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Manifest name="Basic threat modelling design" id="5d3b996b-bac2-8cf6-3b39-617bb67bf042" version="4.1.0.11" author="TwC MSEC" />
<ThreatMetaData>
<IsPriorityUsed>true</IsPriorityUsed>
<IsStatusUsed>false</IsStatusUsed>
<PropertiesMetaData>
<ThreatMetaDatum>
<Name>Title</Name>
<Label>Title</Label>
<HideFromUI>false</HideFromUI>
<Values>
<Value />
</Values>
<Id>5d3b996b-bac2-8cf6-3b39-617bb67bf042</Id>
<AttributeType>0</AttributeType>
</ThreatMetaDatum>
<ThreatMetaDatum>
<Name>UserThreatShortDescription</Name>
<Label>Short Description</Label>
<HideFromUI>true</HideFromUI>
<Values>
<Value>Threat modeling is critical and mandate phase in secure software development</Value>
</Values>
<Id>ac0f9ea8-aed5-4d95-4ce9-6787124d7b48</Id>
<AttributeType>1</AttributeType>
</ThreatMetaDatum>
<ThreatMetaDatum>
<Name>UserThreatDescription</Name>
<Label>Description</Label>
<HideFromUI>false</HideFromUI>
<Values>
<Value />
</Values>
<Id>5d3b996b-bac2-8cf6-3b39-617bb67bf042</Id>
<AttributeType>0</AttributeType>
</ThreatMetaDatum>
<ThreatMetaDatum>
<Name>Priority</Name>
<Label>Priority</Label>
<HideFromUI>true</HideFromUI>
<Values>
<Value>High</Value>
<Value>Medium</Value>
<Value>Low</Value>
</Values>
<Description>Priority</Description>
<Id>ac0f9ea8-aed5-4d95-4ce9-617bb67bf042</Id>
<AttributeType>1</AttributeType>
</ThreatMetaDatum>
</PropertiesMetaData>
</ThreatMetaData>
<GenericElements>
<ElementType>
<Name>Threat modeling Process</Name>
<ID>GE.P</ID>
<Description>General approach to define a threat model</Description>
<ParentElement>ROOT</ParentElement>
<Image>Image_ref</Image>
<Hidden>false</Hidden>
<Representation>Ellipse</Representation>
<StrokeThickness>0</StrokeThickness>
<ImageLocation>Centered</ImageLocation>
<Attributes>
<Attribute>
<Id>002864b3-9a4e-4d21-8a4d-8aea1d2e3056</Id>
<IsInherited>false</IsInherited>
<IsOverrided>false</IsOverrided>
<Name>codeType</Name>
<DisplayName>Code Type</DisplayName>
<Mode>Dynamic</Mode>
<Type>List</Type>
<Inheritance>Virtual</Inheritance>
<AttributeValues>
<Value>Not Selected</Value>
<Value>Managed</Value>
<Value>Unmanaged</Value>
</AttributeValues>
</Attribute>
</Attributes>
</ElementType>
</StandardElements>
</KnowledgeBase>Stage 3: Code Review
Code should be mandated for code review by peers. Enabling over-the-shoulder and email pass-around reviews allows the development teams to detect bugs and defects during the early stage of development.
Delays and vulnerability misses can arrive in the code even with careful considerations and manual efforts. The most common misses include if there are any missing programming constructs, the overall code complies with security standards, and the code passes lint and type hint checks.
Tool-assisted code reviews are less error-prone and avert vulnerability risks. GitHub can prove to be a reliable and efficient tool for code audits and code reviews on the go, with version control as an added advantage.
Stage 4: Scanning through Automated Tools
Automating the code review before merging into the master is of utmost importance. Failing to pass the pre-defined checks highlights the issues in the code and enables a feedback loop for developers to refactor and secure the overall codebase.
WhiteSource for developers, Codacy, and Codecov are automated review tools available through the GitHub marketplace to swiftly integrate into your codebase and attain tech stack requirements. These tools use the shift-left approach for open source scanning and indexing of all the existing GitHub Repos.
Stage 5: Static Code Scanning and Security Testing
Automating code debugging and reviews while skipping the execution via pipelines can be fruitful during the build and deployment stages. Advanced pipeline automation tools, like Jenkins, are loaded with a wide array of code review plugins.
Static code review plugins like FindBugs perform code review and analysis by running pre-defined checks and logic, returning an output file. Jenkins can parse the output file from the job, highlight the errors, and list the warnings encountered by following a top-down approach at the directory level of code and presenting a detailed summary of the overall analysis graphically.
Code sample:
trigger:
branches:
include:
- feature
- main
paths:
include:
- src/*
- tests/*
pool:
Image: 'centos/latest'
jobs:
- job: codereview
displayName: review and report
steps:
- checkout: self
lfs: true
- task: UsePythonVersion@0
displayName: 'Set Python version to 3.9'
inputs:
versionSpec: '3.9'
- script: pip3 install --user -r requirements.txt
displayName: 'Installing required dependencies'
- script: |
python -m behave --junitxml=./validation_test-checks.xml
displayName: 'Running behave tests'
- task: PublishBehaveResults@1
displayName: 'bumping out behave test results'
condition: passOrFail()
inputs:
testResultsFiles: '**/validation_test-*.xml'
testRunTitle: 'Publish behave test results for Python $(python.version)'Conclusion
Software supply chain vulnerabilities are unavoidable beasts. When ignored, they can bring down an entire system impacting both business and reputation. The SDLC encompasses numerous techniques and toolsets for making security a primary milestone of the software journey.
The overall development phase has to follow the above-highlighted stages starting from security literacy, threat modeling, peer code review, automated code checks, and static code scanning and security testing.
