Cloud software supply chains are tuned to deliver code to production faster than ever. Open source infrastructure as code (IaC) templates, code libraries and container images provide a head start during development to create new features and tools. DevOps pipelines automate away many of the manual tasks of traditional supply chains. They take code from the developer’s laptop to production, all without manual intervention.
This opens many organizations’ software supply chains to being prime targets for attacks. If infiltrated, software supply chains provide direct access to privileged credentials, proprietary codebases, sensitive data, infrastructure for cryptomining, ransomware and more. That is why supply chain security is so important for cloud software.
There are a variety of types of software supply chain attacks. Typically they come down to either insecure components of an application or attacking the pipelines that store and deliver code. All of them open organizations to high-profile breaches.
Insecure components can be either through negligence or intentional. Code components sourced from both open source and proprietary sources can contain vulnerabilities and misconfigurations. These security issues are not malicious, but using old code or insecure defaults can expose an application to attack. Some insecure components, however, are malicious. Bad actors can attempt to add malware to code libraries or poison containers to contain malware. At runtime, bad actors can attempt to modify a container or cloud infrastructure to drift away from its code definition.
Other cloud software supply chains compromises target the pipelines that deliver code. Insecure version control systems without branch or login protections can allow for malicious code to be committed to a repository. Insecure continuous integration/continuous deployment (CI/CD) pipelines can unintentionally execute any code that runs through them, exposing secrets or allowing for data exfiltration.
Once inside a pipeline or its components, bad actors will attempt to pivot to more valuable targets. Overly permissive accounts and unprotected networks make this much easier. All of these software supply chain risks can be mitigated with proper security.
Supply chain security leverages DevSecOps to protect against these attacks. It begins with the discovery of all components, visibility into the components of a supply chain, and then securing the components of cloud native application and infrastructure throughout the development lifecycle.
Modern applications consist of proprietary code, code libraries, images and IaC, such as Terraform and Kubernetes manifests. Discovery and inventory of these components can be centralized utilizing software bills of material (SBOMs).
Securing IaC sets a baseline posture for the infrastructure that the application runs in. IaC templates like Terraform, CloudFormation, ARM, and Kubernetes manifests are by default insecure. Finding and fixing misconfigurations in IaC makes it more difficult to attack an application and lowers the blast radius for successful attacks.
Images must also be scanned for vulnerabilities and misconfigurations, such as exposing port 22. If an image is from an unknown source, it’s also important to test that image in an image sandbox scanner to expose malware. This should be performed locally, in repositories after building images, in registries and continuously at runtime. Further, it’s important to check the trustworthiness of an image by only allowing trusted images from trusted sources, to avoid image poisoning attacks.
Open source code libraries need to be vetted for vulnerabilities and upgraded or patched when vulnerabilities are discovered. This can be done locally or in repositories.
Once these controls are put in place, the next step is to secure the pipeline that deploys them.
Increasingly, pipelines are becoming targets for attacks. Securing pipelines means every part of the software development process must be hardened. This includes VCS settings, CI/CD configurations and the infrastructure they run on.
Version control systems (VCS) have branch protection and secure login capabilities, but they are not on by default. Ensure that repositories do not allow code to be committed without a human review. Additionally, do not allow logins without MFA or any network events without TLS turned on.
CI/CD pipelines also need to be hardened. By default, they often allow the execution of code to run tests. This can lead to exposing credentials if a bad actor checks in an update to a pipeline that exfiltrates the secret. It also can lead to code tampering. Lock down CI/CD pipelines to not run all code on all branches.
Pipelines also run on infrastructure and include credentials to spin up test environments. That infrastructure should be vetted like production infrastructure. Credentials should only allow the minimum access required to run tests and deploy updates, with a separation of duties between those two tasks.
Finally, in each of these layers, secrets can inadvertently be exposed. Secrets can accidentally be included in IaC templates or CI/CD pipelines. Ensure no secrets get added to a repository except through an encrypted vault.
Begin your cloud native software supply chain security journey by starting with visibility into your code to cloud resources.