UPDATED 15:26 EDT / FEBRUARY 15 2022

SECURITY

Controlling software supply chain security will require new tools, automation and vigilance

When it comes to software supply chain security, the problem confronting the tech industry today can be summed up in one five-letter word: chain.

Chain links formed into a length of support can be incredibly strong, as long as all of the links remain sturdy. However, the failure of one link can compromise the strength in an entire chain.

This is the dilemma facing the technology world as it grapples with breaches in the software supply chain. Episodes involving SolarWinds and the Apache open-source tool Log4j highlight the precarious nature of the software ecosystem, one that depends heavily on a complex set of linkages involving companies, developers, security professionals and volunteer programmers to keep systems safe from undue harm.

“It’s called a supply chain, and it’s only as strong as its weakest link,” said Vincent Danen, vice president of product security at Red Hat Inc., in an interview with theCUBE, SiliconANGLE Media’s livestreaming studio. “If one company is breached, multiple companies end up being breached as a result of that. I don’t look at it as we’re just securing Red Hat. We’re securing our customers, and we’re also doing that for their customers as well.”

Danen spoke with David Nicholson, co-host of theCUBE, as part of the “How to Manage Digital Risk By Securing Your Software Supply Chain” event. He was joined by Luke Hinds, security engineering lead from the office of the CTO at Red Hat. TheCUBE co-host Dave Vellante also interviewed Red Hat’s Andrea Hall, specialist solution architect and project manager for security and compliance; Andrew Block, distinguished architect; and Kirsten Newcomer, director of cloud and DevSecOps strategy, as part of the event. They discussed current and future tools for software protection and the challenges facing the open-source community. (* Disclosure below.)

Here’s the complete video interview with Danen and Hinds:

Accelerating tool development

Code vulnerabilities in the open-source world are especially problematic because the software is so widely used. A 2021 report from Synopsys Inc. found that 91% of 1,500 commercial codebases surveyed contained open-source dependencies with no development activity over the past two years — and many lacked security fixes.

The report also noted that vulnerabilities were discovered in over 90% of codebases for the marketing tech, healthcare, financial services and retail sectors.

One of the issues confronting the tech community has been the effectiveness of currently available tools for security protection. Many organizations rely on vulnerability scanning to identify security weaknesses in software; however, this may not always provide the full story.

“In static vulnerability scanning, you get information that is not in full context,” Newcomer explained. “You don’t know whether a vulnerability is truly exploitable unless you know how exposed that particular part of the code is to the internet. You really want not just that static scan, but also the analysis which takes into account the configuration of the application and the runtime environment and any mitigations that might be present there.”

Here’s the complete video interview with Newcomer:

The open-source community has been accelerating the pace of activity to deploy new tools that will provide enhanced security for software capabilities. These include software composition analysis tools, such as FossID and BlackBerry Jarvis, along with Software Package Data Exchange, or SPDX, which communicates software metadata information throughout the supply chain.

In early February, the Open Source Software Foundation announced the Alpha-Omega Project to improve global open-source software supply chain security by looking for undiscovered code vulnerabilities in cooperation with project maintainers. The project is being supported by Microsoft and Google Inc.

“There are a lot of open-source tools that are available and being produced that are going to help with these sorts of situations moving forward,” Danen said. “A lot of what we’re looking at now is how to get tools into the hands of developers who can catch some of these things earlier.”

Push for bill of materials

One of the tools that may help organizations achieve a more complete understanding of the elements inside a package is the software bill of materials, or SBOM. It is also a tool that has captured the interest of regulatory authorities.

The SBOM was specifically named as an industry solution when the White House issued an Executive Order last year that directed an inventory of software components be included in future releases for any technology company working with the federal government.

There has also been movement to standardize frameworks for software protection. The International Organization for Standardization decreed in September that SPDX will be the official open standard data format for conveying software metadata information in the supply chain.

“Right now, this space is very emergent, very fluid,” said Block. “These mandates are only a year or two old. More regulations will come out that will allow us to redefine and solidify on certain tools like ISO standards.”

Expansion of government requirements for greater transparency in the software supply chain is pushing organizations to find technology solutions for driving software accountability. The past year saw a flurry of activity in policy proposals for governing the software supply chain, including new compliance frameworks issued in the U.K. and principles recently released by the government of Australia.

As a more active threat landscape and rising government regulations drive the need for supply chain transparency, organizations are seeking ways to create a process for implementation. That will likely require the use of automated tools.

“We see a lot of organizations struggling in terms of trying to understand what the policy actually wants,” Hall noted. “Definitions are still a little bit vague, but implementation is also difficult. And sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Automation has to be pulled in; that’s key to implementing this.”

Here’s the complete video interview with Hall and Block:

Steps to reduce risk

Deployment of automation and other tools that can consistently track all phases of the software build process will take time. In the meantime, there are steps that DevSecOps groups can take to lessen the likelihood of a significant breach through a software supply chain hack.

Hinds recommends that developers and IT administrators follow basic steps to guard against potential corruption of key software running mission-critical applications.

“Automatically update all packages. Automatically stay up to date, so when an issue does hit, you’re not having to go back 10 versions and work your way forward,” Hinds said. “Have a very strict requirement that there is non-repudiation, signed content so you can verify that it’s not been tampered with.”

The damage from the SolarWinds supply chain hack is still being assessed, well over a year after the enormity of the breach was first exposed. The attack has been attributed to a Russian intelligence group, and it remains one of the most sophisticated exploits seen to date.

Investigators have determined that the SolarWinds breach began in 2019 with the insertion of a single strip of code into the company’s central network monitoring software product. This highlights the challenge facing enterprises around the world, as IT teams must address the reality that even the smallest change in a codebase can have enormous impact.

“Awareness is key,” Hinds said. “A lot of people are really not aware of the sources that they’re drawing from to create their own supply chain. Be very mindful about what you’re bringing in and who can access it, because it is the keys to the kingdom.”

Here’s the complete event video. (* Disclosure: TheCUBE is a paid media partner for the “How to Manage Digital Risk by Securing Your Software Supply Chain” event. Neither Red Hat, the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Image: Production Perig

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU