What do the Log4j zero-day vulnerability, the SolarWind attack, and Alex Birsan's hacking of Apple and Microsoft have in common?The answer is simple: software chain security. Although the answer may be simple, each example highlights a different aspect of software chain security.
The definition of a software chain depends on who you're talking to and in what context, but simply put, securing a software chain means analyzing software from the outside. This can include open source**, commercial off-the-shelf (COTS) software, firmware, container images, APIs, and any other resources that are not developed in-house. At first glance, this may seem like a concern just for software consumers, who are the most affected by the compromised chain. But that's not the case. Software producers also have a responsibility to take the necessary steps to protect their applications from downstream risks and to provide users with transparency about their security efforts.
The analysis of external software should include both active and reactive efforts to reduce risk. This means writing security**, keeping vulnerable dependencies out of the application lifecycle, continuously monitoring for new vulnerabilities, avoiding unhealthy dependencies, and protecting the entire development lifecycle from malicious or malware injections, to name a few. All of this should be done if the user of the software asks about the actual operation and the content of the application that may be causing risk.
In the Critical Capabilities for Application Security Testing, Gartner lists software chain security use cases and shares software chain security issues that every organization should consider. Let's break down these key capabilities.
Gartner believes that software chain security is the most critical capability to ensure the security of the chain. This may seem confusing or redundant, but there is a difference between software chain security as a use case or plan and software chain security as a combination of features and functionality. We are talking about utilizing the latter to achieve the former.
The features and functionality associated with this feature can be categorized as those that enable the team to proactively mitigate the risks introduced by external software. Teams can proactively assess problematic metrics such as poorly maintained projects, inadequate security controls, a history of vulnerabilities or malice**, a poor maintainer reputation, and more. It also involves generating and managing artifacts that consumers can use to perform their own assessments of the security of the software built by the provider. This can come in the form of a software bill of materials (SBOM) or a proof of security practices that can be used to better understand the risks that software poses to an organization.
Identifying all the external dependencies used to build your application can be a challenge. More than 75% of an average application comes from an open source project. Requiring development teams to manually track the dependencies they use shows a disconnect from the realities of modern development practices and how package managers and dependency trees work. However, without full visibility of these dependencies, there is no way to track which chain threats affect applications. That's why Software Portfolio Analysis (SCA) plays such an important role in software chain security.
SCA tools can be built directly into the development pipeline through DevOps integration to automatically detect open source (and sometimes commercial and custom components). They also associate them with security domains, their licenses, and any health risks to help you enforce policies and ensure that issues are addressed as needed.
Not only can SCA tools identify dependencies and help teams deal with risk, they can also generate SBOs that teams can provide along with the application, providing chain transparency to consumers of the software.
Building applications and packaging them into containers has become a popular deployment method. This helps teams easily scale deployments to meet demand, overcome issues associated with different deployment environments, and support a microservices approach to application development. However, modern AppSec practices aren't always enough when it comes to securing containers.
Basic images tend to be the easiest aspect of containers to scan for vulnerabilities. In fact, many container registries are doing some of their own thing. However, with an infinite number of layers added on top of the base image, there may be a hidden problem. In order to get a realistic risk image, the container image needs to be scanned after it has been generated. Therefore, security teams should prioritize a solution that analyzes the file structures that make up container images to identify dependencies and associated risks. Otherwise, containers become the weak link in the software chain.
Development and security teams can spend countless hours and money protecting their applications from external threats, but it's all in vain if they can't write their own safely. Traditionally, this has been the purpose of review, but manual work like this can be ineffective and time-consuming.
The Static Application Security Testing (SAST) tool automatically scans the source and assesses it for potential security weaknesses, which can lead to issues such as buffer overflows, SQL injections, and cross-scripting. These types of flaws can be difficult to spot with the human eye, but SAST can do so precisely and quickly and at a regular pace. When countless high-severity vulnerabilities can be attributed to simple flaws, such as inadequate data sanitization, using SAST tools can enable development teams to avoid becoming upstream risks.
Securing the software chain means managing risk throughout the application lifecycle. Doing so requires a variety of tools and processes, which will inevitably produce a range of outcomes. Application security posture management (ASPM) tools help automate all the different tests throughout the lifecycle while capturing the results of each test.
The benefits of ASPM are twofold. First, before any scan occurs, teams can use ASPM to define policies for all test types and configure when each test occurs and which results should trigger which workflows. Second, as results are generated, ASPM tools can correlate and analyze the results, providing teams with a single dashboard for triaging and remediating issues. Put simply, ASPM provides a risk map for the entire software chain of any application in development.
Developers are the first line of defense against the threat of the **chain. Not only do they decide which third-party dependencies to leverage to build the application, they are also responsible for fixing the issues identified by the tools mentioned in this blog.
Therefore, it is important to meet the developers where they are already located. Before writing a single line, the security team should define the policy based on the amount of risk that the organization can tolerate. Scans should work directly with development tools such as IDEs and SCMs to automatically trigger and enforce policies. In addition, any issues identified and sent back to the development team should contain as much information as possible to help resolve the work, such as location, problem type, remediation guidance, and educational training options related to the specific issue. In the chain, the sooner a problem is discovered, the sooner it can be remedied. This reduces risk and reduces the pressure on the resources needed for remediation.
UNISCA provides the basis for a software chain security approach. Since almost every modern application uses some form of open source or external components that are developed completely outside the control of the organizations that use them, they naturally represent the greatest surface area of risk. Our SCA tools integrate directly into the application development pipeline to automatically scan for open sources and third-party components in sources**, container images, and firmware. The result is an accurate and complete SBOM that can be configured and exported to meet a wide variety of needs. Each component identified and added in the SBOM will also be evaluated for security vulnerabilities, malware packages, health and feasibility, and licensing conflicts.
Original link: