{"id":22210,"date":"2022-06-03T20:53:41","date_gmt":"2022-06-03T20:53:41","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=22210"},"modified":"2022-06-03T20:53:43","modified_gmt":"2022-06-03T20:53:43","slug":"how-to-prevent-software-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/trends\/how-to-prevent-software-supply-chain-attacks\/","title":{"rendered":"How to Prevent Software Supply Chain Attacks"},"content":{"rendered":"\n

Software supply chain attacks<\/a> present an increasingly worrying threat. According to a recent BlueVoyant study, an impressive 97 percent of companies surveyed have been negatively impacted by a security breach in their supply chain, and 38 percent said they have no way of knowing about any potential issues with a third-party supplier\u2019s cybersecurity<\/a>.<\/p>\n\n\n\n

Ankur Shah, senior vice president for Prisma Cloud products at Palo Alto Networks, told eSecurity Planet <\/em>that high-profile threats like the Log4j<\/a> and Spring4Shell<\/a> vulnerabilities have kept these concerns at top of mind \u2013 and they’re becoming more prevalent, Shah said, for three key reasons.<\/p>\n\n\n\n

3 Causes of Growing Supply Chain Threats<\/h2>\n\n\n\n

First, Shah said, years ago when he was a developer, nothing he built would be deployed until after extensive security and QA testing. “Now, developers can pretty much, from their IDE, click a button and get the whole thing tested, secured, deployed, within minutes,” he said. “Customers are shipping applications every hour, every day, whenever they want, and businesses love that. It’s a circular trend, and it’s not going to change \u2013 developers are not going to go slowly because of quality or security.”<\/p>\n\n\n\n

Second, the number of developers has quickly outpaced the number of security pros, making it all but impossible for the security folks to keep up. “Everybody’s a developer now,” Shah said. “There are over 33 million developers vs. 3 million security professionals. So it’s a battle that security can’t win.”<\/p>\n\n\n\n

Third, Shah said, when he was a developer, it was usually about 80 percent his code and 20 percent open source libraries \u2013 while today, it’s often the opposite. “Download open source code from hack me dot com, now it’s part of your container image, whatever it is \u2013 and then who knows? It gets deployed in hundreds of thousands of workloads and hell breaks loose,” he said.<\/p>\n\n\n\n

And it doesn’t have to be from some random website \u2013 Log4j isn’t just some random component from a tiny third-party vendor. “This is Apache,” Shah said. “Their claim to fame is they’re Open Source 101 \u2013 a trusted vendor, a trusted component \u2013 and yet somebody found a vulnerability, and it’s fairly easily exploitable.”<\/p>\n\n\n\n

Also read: New Open-source Security Initiative Aimed at Supply Chain Attacks<\/a><\/p>\n\n\n\n

4 Steps to Code Security<\/h2>\n\n\n\n

What companies need to do in response, Shah said, is to secure the entire application lifecycle from code to runtime \u2013 which involves actively monitoring security in at least four key points in the process.<\/p>\n\n\n\n

The first step is during development, making sure that any open source code being used is safe. “When the developers are building their code in the IDE, if they just say, ‘Import this open source component,’ right then and there they should know, ‘Are you sure you want to do this? Because that particular open source component has a known vulnerability,'” Shah said.<\/p>\n\n\n\n

Increasing developers’ awareness of those concerns is a good start, he said, though each company has to determine its own risk tolerance. A fintech, healthcare, or government organization will likely need to be more careful about open source components than those in other verticals that may want to seek a different balance between security and speed of deployment.<\/p>\n\n\n\n

The next area to consider is infrastructure as code. “A lot of times, the bad actors exploit the weaknesses in the infrastructure \u2013 overly permissive security groups, etc. \u2013 so the other thing to secure, in addition to the open source code, is secure infrastructure as code,” Shah said.<\/p>\n\n\n\n

It’s equally important to secure the code repository, the third step in Shah’s process. “Make sure that your VCS, your Git repo, doesn’t have weaknesses \u2013 like is it exposed to the public Internet? With Capital One, the code repo was exposed and somebody was able to exploit it \u2013 make sure you have multi-factor authentication<\/a>, you can only access it within your corporate VPN<\/a>, and it’s not available to the public Internet.”<\/p>\n\n\n\n

Finally, there should be an additional check prior to deployment. “Scan your container registries, scan your CI\/CD pipeline, make sure you’ve got one more check done there,” Shah said. “And then the final stage is, things go into production.”<\/p>\n\n\n\n

Also read:<\/p>\n\n\n\n