Tag Archive for: supply

Software Supply Chain Compliance with Aqua’s Chain-Bench – The New Stack

/in


We can all agree today that we really need to know what’s what with your software supply chain. If you don’t know why I recommend you to look up the  SolarWinds security fiasco and the ongoing Log4Shell dumpster fire. But, what’s in a good, secure software chain anyway? The cloud native security company Aqua Security joined forces with the Center for Internet Security (CIS) to create the first formal software supply chain security guidelines: The CIS Software Supply Chain Security Guide.

The guidelines cover the security basics for five software supply chain categories. These include source code, build pipelines, dependencies, artifacts, and deployment. Specifically, for example, your public repositories must have a SECURITY.md file, all code changes must be tracked by a version control system, and third-party libraries must be verified. All of this is in support of general best practices that support key emerging security standards such as Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). Altogether there are over 100 security recommendations.

Community Effort

Besides the two authoring companies, the guide was reviewed by security experts from Axonius, PayPal, CyberArk, Red Hat and other leading technology companies. This is not a static document. Its creators are looking for feedback to ensure it remains accurate and relevant.

The long-term plan, according to CIS development team manager Phil White, is to “build a vibrant community interested in developing the platform-specific benchmark guidance to come.”

Chain-Bench

But let’s say you take these guidelines seriously and you incorporate them into your code. How do you tell if your program actually makes the grade? With Aqua Security’s Chain-Bench. This is an open source tool for auditing your software supply chain to ensure guideline compliance.

Licensed under the Apache 2.0 License, you can run Chain-Bench as a command-line tool or within a Docker container. It implements the CIS Software Supply Chain Benchmark as well as it can. You can find the current implemented checks under  AVD – Software Supply Chain CIS – 1.0. At this point, only a handful of guidelines are checked….

Source…

Supply chain security goes deep – forget this at your peril

/in


Everyone is talking about supply chain assurance like it is new. This is basically because of recent high-profile cases such as SolarWinds and Log4j. It’s not new.

But, and this is partly evident in the way the question is framed, the focus is still on IT and cyber security in the supply chain, not security. Security has many pillars and it includes places and people, not just technology.

By forgetting the impact of these other areas, we are ignoring their potential to harm us. We also know that the vast majority of security incidents are human behaviour-facilitated, including the way in which the tech is managed.

For instance, consider IT managers who have not been given enough time to take systems or platforms offline in order to patch them. We have been schooled for years in the importance of patching, but does our understanding go far enough to ensure that it is made possible? This is the way that known vulnerabilities get exploited and while we may be hypnotised by zero-day exploits, the depressing truth is that many exploits have been around for years but still get traction.

The IT solution for the patching issue, in my example, exists. It is the human perspective – allowing the IT manager to effect this solution – that is missing. This will only change when organisations understand that people have to be part of the security budget. You can’t expect 100% uptime and security, even in critical systems. This is on a par with refusing to fix fire exits because the corridor is very busy.

Are we expecting supply chain partners and their people to be better at security than we are? But if we are not prepared to invest in these human issues, why are we expecting our supply chain partners to be willing to do that?

A unilateral approach doesn’t work. Multilateral is the way because it isn’t really a supply chain, it’s an ecosystem, with connections in many directions and forward links that we cannot pretend to know. That ecosystem is only as strong as its weakest link, but maybe we’re not being honest that the weakest link potentially might be ourselves.

High expectations are fine, but we need to ensure that this is communicated to them effectively. Complex…

Source…

A focus on risk in software supply chain security

/in


A focus on risk in software supply chain security | Security Magazine




Source…

Software supply chain security risks surround Kubernetes

/in


Kubernetes and cloud-native computing sit squarely in the middle of a seismic shift in the last decade toward enterprise use of open source — and all the software supply chain security concerns that come with it.

This open source shift isn’t piecemeal: Four of the 17 industry sectors represented in the 2022 edition of an annual “Open Source Security and Risk Analysis” report by Synopsys include open source in 100% of their codebases; the remaining 13 industries use open source in 93% to 99% of their codebases.

Meanwhile, since the SolarWinds attack in late 2020, a series of high-profile exploits in open source code has revealed the far-reaching cybersecurity implications of its convoluted supply chains. In late 2021, the Log4j vulnerability exposed how open source libraries wrapped up in other dependencies could be used in potentially devastating and difficult-to-detect attacks, as enterprises had trouble determining whether vulnerable libraries were present in their environments, and where.

Against this backdrop, Kubernetes itself remains a relatively safe haven because of its large, highly invested community, according to the Synopsys report. But plenty of other open source components are involved in the Kubernetes ecosystem, including small, single-developer projects, whose maintenance — or lack thereof — can leave the wider platform vulnerable.

“GitHub has millions of projects in which the number of developers is in the single digits,” according to the Synopsys report. “One of the takeaways from Log4Shell’s discovery should be the need to create a path to mitigate the business risk associated with using open source software. The important distinction here is that open source itself doesn’t create business risk, but its mismanagement does.”

Kubernetes + automated deployments = supply chain risks

SolarWinds was compromised via its CI/CD process, and other recently uncovered open source security vulnerabilities took similar advantage of automated deployment and update mechanisms that researchers tricked into deploying malicious packages.

The 2022 “Cloud Native Threat Report” published by container runtime security vendor Aqua on April 20 described one such exploit,…

Source…