Don’t overlook the boardroom benefits of a secure software supply chain
Software supply chain attacks remain a serious threat for most organizations today. For the first time, IBM’s 2022 Cost of a Data Breach Report looked at the impacts of software supply chain attacks and found nearly one-fifth of organizations were breached due to a software supply chain attack. Even more concerning from the report, these compromises caused by a vulnerability or breach of a third-party supplier made breaches more expensive and introduced longer discovery and recovery cycles for organizations when compared to the average.
The security skills shortage further increases both the cost and precious time implications of software supply chain attacks because the skill sets that build, address and help to remediate these compromises within an organization are hard to find. So what can business leaders do today to improve their organization’s software security posture into the future?
Adopt software signing and secure software development practices
Tampering with software is an increasingly common attack method for bad actors, which is why signing and verifying an organization’s code, build systems, and artifacts is one of the most effective steps to take to protect against supply chain attacks. While this is no doubt a complicated problem to solve for any organization looking to shore up software security defenses, there are various easy-to-use and open source technologies that won’t break the bank or hinder developer productivity. These benefits positively impact not only technology teams but C-Suite leaders with advantages such as cost savings and risk management frameworks.
Here are four clear boardroom benefits of a secure software supply chain:
1: Long term cost savings: The IBM report found that the average total cost per organization of a software supply chain compromise was $4.46 million compared to $4.35 million for a data breach not caused by a supply chain attack. Rather than waiting for the inevitable, today’s business leaders need to secure their organizations by default rather than leaving teams firefighting after something bad happens. There are various tools and frameworks that companies can implement at a minimal cost to start building the foundation for a secure supply chain.
One example is Sigstore, a free, open-source software project that provides digital signatures for software releases, which helps developers and open source maintainers check the integrity of the software being produced and consumed. Earlier this year, Chainguard, the Linux Foundation and the OpenSSF recently released a Sigstore course that educates developers and maintainers on how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. Another example is the Supply-chain Levels for Software Artifacts (SLSA) framework, which ensures the integrity of software artifacts to help prevent software supply chain attacks. For C-Suite leaders, SLSA can serve as an achievable supply chain security capability and maturity model that derisks the software development lifecycle by providing a set of guidelines across the develop, build and release stages.
Secure by default tools and frameworks like Sigstore, SLSA and more make it so software developers can build without burden and organizations can improve their overall software security without having to accrue hefty costs in the long term if these tools and frameworks were not in place.
2: Meet industry standards and government requirements: There is no shortage of standards and federal government requirements focused on the integrity of the software supply chain. Business leaders need to prepare for and meet these requirements to avoid consequences in the future for inadequate software development practices. SLSA’s level based approach is unique because it not only offers best practices for software supply chain security, it’s designed around the automatic creation of verifiable metadata, which is a critical ingredient for knowing when to trust the integrity of software and a major step for meeting today’s federal supply chain requirements.
3: Increase developer productivity and velocity: A common software supply chain battleground for C-Suite leaders is helping their organization balance security with productivity and innovation. This is where the value of developer-first tools like Sigstore come into play because it enables a frictionless developer experience that’s secure by default. Many developers and open source maintainers have already taken the leap to Sigstore. Recently, GitHub announced a request for comment on npm packages to be signed using Sigstore, joining a growing number of other languages and projects like Python, Rust, Kubernetes that are looking at adopting this free wax seal of software authenticity.
4: Incident response efficiency for security teams: Knowing who did what, where and when is a priceless mechanism for the necessary incident response work of security teams. No security engineer wants to burn time patching blind spots in their organization’s security posture and chasing mysterious packages. By requiring digital signatures on all code, software builds and artifacts, business leaders can set security teams up for greater success in the event of an incident or vulnerability because they have the track record documented and a clearer picture of where to start remediation.
There is no sugar coating it, software supply chain security is hard. It requires a cultural shift and investment by business leaders and security and developer teams. The silver lining, there is a growing community of people and organizations like the team here at Chainguard that are tackling this issue and creating efficient ways to strengthen the software supply chain to help business leaders manage the risks associated with it.
Share this article
Related articles
- Security
Get up to Speed on FedRAMP 20x
FedRAMP 20x is transforming cloud compliance with automation and continuous security. Learn how Chainguard Containers simplify 20x readiness with 0-CVE images.
Aaditya Jain, Senior Product Marketing Manager
- Security
Three Ways to Make Your SDLC Secure-by-Default
Build secure software faster with Chainguard. Learn how secure-by-default SDLC practices eliminate CVEs, automate compliance, and embed trust from code to cloud.
Sam Katzen, Staff Product Marketing Manager
- Security
Simplify Continuous Compliance: How to Stay Audit-Ready and Ship Software Faster
Turn compliance into a growth driver with Chainguard. Eliminate CVEs, stay audit-ready, and meet FedRAMP, SOC 2, and ISO 27001 with secure images.
Matt Stead, Marketing
- Security
Meeting the Zero-CVE Mandate: How Chainguard Helps Businesses Ship Secure Software That Customers Trust
Chainguard's zero-CVE containers come with broad compatibility, custom assembly, verifiable provenance and SBOMs, and more to help you ship secure software.
Sam Katzen, Staff Product Marketing Manager
- Security
Mitigating Malware in the npm Ecosystem with Chainguard Libraries
In a recent analysis, Chainguard Libraries for JavaScript prevented over 99% of malicious npm packages published to the npm registry.
Derek Garcia, Research Assistant, Charlie Robbins, Principal Software Engineer, and Manfred Moser, Senior Principal Developer Relations Engineer
- Security
This Shit is Hard: Applying "Zero Trust" to Open Source Software
Chainguard implements Zero Trust principles into everything we do to protect critical infrastructure in the age of open source. See how we do it.
Natalie Somersall, Principal Field Engineer, Public Sector