November 26, 2020
Cyber Security

Secure Your Software Supply Chain with DevSecOps

Secure Your Software Supply Chain with DevSecOps

Andrii Lysyuk
Author: Andriy Lysyuk, Head of Cyber Security at Ciklum. 
Master of Science, Applied Physics, 20+ years of experience in IT and Information Security. Prior to Ciklum he worked as Information Security Consultant in EY Global Delivery Center and IBM Global Delivery Center. He has CISSP and CISA certifications. Andriy has experience in Information Security Management, Application Security, Network Security, Incident management.

Businesses around the world rely on supply chains to organise, create, and deliver goods and services. From automobiles to prepared meals, well-managed supply chains are essential to ensuring that products are manufactured with safety, efficiency, and security in mind.

Many development teams also adhere to their own version of a software supply chain. Following the same type of business model that oversees how resources are obtained, created, and managed, the software supply chain can deliver digital products that are engineered with a high degree of integrity, quality, and security.

DevSecOps, the set of development practices that incorporate security concerns throughout each stage of the development process, can help organisations integrate strong security throughout the software supply chain. By adhering to DevSecOps principles as key development decisions are being made, organisations can seamlessly protect the integrity of their software and consequently confidentiality, integrity and availability of the data processed by this software.. 

What is the software supply chain?

The software supply chain consists of anything that goes into or affects the underlying software code and compiled applications. From deployment to production, the authors, versions, scripts, and any other components or details related to an aspect of the software code can be considered pieces of the chain. 

Much like a traditional supply chain found in manufacturing accounts for the raw materials, equipment, and distribution of a product, the software supply chain manages each software component throughout the development lifecycle, including:

Taken together, each of these phases accounts for the many important considerations that must be weighed when building high-quality software. Understanding every tool, source, and line of code is essential for building solutions that are efficient, reliable, and secure.

What is the need for supply chain security?

As with a physical supply chain, aspects of traceability, quality control, and authentication are essential for software supply chain security. The ability to account for how code is written, obtained, and deployed throughout the development process can have a significant impact on application security. 

Evaluating third-party software, open source libraries, and development practices and implementing necessary mitigating factors helps to avoid weak links in  software supply chains. Without established processes to verify that proper procedures are being adhered to throughout each phase of development, organisations may end up creating applications with major security gaps that are easy for cyber criminals to attack.

Actively pursuing a supply chain security strategy can help mitigate such risks. By reviewing code, vetting sources, and adhering to best software development practices, organisations can protect themselves against potential threats that could be the result of weaknesses in the software.  

What are some common software supply chain risks?

Cyber criminals often target the weakest link in a piece of software. Without properly overseeing each and every component used throughout the development process, organisations risk leaving aspects of their software supply chain vulnerable to attack.

One of the largest risks to the software supply chain is the use of open source software. Much of today’s software is built using open-source components, but 

Due to the collaborative nature of open source software, bad actors are targeting projects that rely on volunteers and community members in order to make it difficult to identify the origin of an attack. Third-party APIs can also present a significant supply chain risk. Many developers rely on third-party APIs to speed up and simplify the development process, but security weaknesses within the API can place an entire application or enterprise in jeopardy. 

Finally, developers who do not follow best development practices can also present risks to the software supply chain. Teams or individuals who reuse code snippets from unverified sources can leave their entire applications vulnerable to attack. 

How can DevSecOps help with the software supply chain?

DevSecOps is a series of cultural practices that enables organisations to integrate security throughout the entire software supply chain. As a security-focused outgrowth of DevOps — the practice that combines development and IT operations into a collaborative, cooperative environment throughout the entire software lifecycle — DevSecOps considers application and infrastructure security from the beginning. 

One of the key principles of DevOps is speed, which works to integrate new features or repair bugs as quickly as possible through small, iterative updates. Intended to be scalable, flexible, and reliable, DevOps strategies deliver frequent and dynamic code changes that are carefully coordinated between development and operations teams. 

DevSecOps takes a similar approach but incorporates security considerations throughout the entire process. Often accomplished through tightly integrated automation tools, DevSecOps methods often feature encryption, secure API gateways, and secure continuous integration (CI) and continuous delivery (CD) practices. 

For the software supply chain, this means that each tool, component, or piece of code is properly vetted to ensure a high degree of security. Because considerations over the quality, source, and trustworthiness of any software element are built into the entire development process, DevSecOps practices can help ensure that comprehensive security is a feature from the ground-up, not an afterthought. 

Ciklum’s award-winning digital solutions experts can bring DevSecOps practices to any organisation. Whether it’s through an extended team or a custom-built application, Cilkum’s DevSecOps professionals can help ensure quality and security throughout the entire software supply chain. Contact Ciklum today for more information on DevSecOps services available for any business.