Software supply chain attacks remain a serious threat for most organizations today. For the first time, IBM’s 2022 Cost of a Data Breach Report looked at the impacts of software supply chain attacks and found nearly one-fifth of organizations were breached due to a software supply chain attack. Even more concerning from the report, these compromises caused by a vulnerability or breach of a third-party supplier made breaches more expensive and introduced longer discovery and recovery cycles for organizations when compared to the average.
The security skills shortage further increases both the cost and precious time implications of software supply chain attacks because the skill sets that build, address and help to remediate these compromises within an organization are hard to find. So what can business leaders do today to improve their organization’s software security posture into the future?
Adopt software signing and secure software development practices
Tampering with software is an increasingly common attack method for bad actors, which is why signing and verifying an organization’s code, build systems, and artifacts is one of the most effective steps to take to protect against supply chain attacks. While this is no doubt a complicated problem to solve for any organization looking to shore up software security defenses, there are various easy-to-use and open source technologies that won’t break the bank or hinder developer productivity. These benefits positively impact not only technology teams but C-Suite leaders with advantages such as cost savings and risk management frameworks.
Here are four clear boardroom benefits of a secure software supply chain:
1: Long term cost savings: The IBM report found that the average total cost per organization of a software supply chain compromise was $4.46 million compared to $4.35 million for a data breach not caused by a supply chain attack. Rather than waiting for the inevitable, today’s business leaders need to secure their organizations by default rather than leaving teams firefighting after something bad happens. There are various tools and frameworks that companies can implement at a minimal cost to start building the foundation for a secure supply chain.
One example is Sigstore, a free, open-source software project that provides digital signatures for software releases, which helps developers and open source maintainers check the integrity of the software being produced and consumed. Earlier this year, Chainguard, the Linux Foundation and the OpenSSF recently released a Sigstore course that educates developers and maintainers on how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. Another example is the Supply-chain Levels for Software Artifacts (SLSA) framework, which ensures the integrity of software artifacts to help prevent software supply chain attacks. For C-Suite leaders, SLSA can serve as an achievable supply chain security capability and maturity model that derisks the software development lifecycle by providing a set of guidelines across the develop, build and release stages.
Secure by default tools and frameworks like Sigstore, SLSA and more make it so software developers can build without burden and organizations can improve their overall software security without having to accrue hefty costs in the long term if these tools and frameworks were not in place.
2: Meet industry standards and government requirements: There is no shortage of standards and federal government requirements focused on the integrity of the software supply chain. Business leaders need to prepare for and meet these requirements to avoid consequences in the future for inadequate software development practices. SLSA’s level based approach is unique because it not only offers best practices for software supply chain security, it’s designed around the automatic creation of verifiable metadata, which is a critical ingredient for knowing when to trust the integrity of software and a major step for meeting today’s federal supply chain requirements.
3: Increase developer productivity and velocity: A common software supply chain battleground for C-Suite leaders is helping their organization balance security with productivity and innovation. This is where the value of developer-first tools like Sigstore come into play because it enables a frictionless developer experience that’s secure by default. Many developers and open source maintainers have already taken the leap to Sigstore. Recently, GitHub announced a request for comment on npm packages to be signed using Sigstore, joining a growing number of other languages and projects like Python, Rust, Kubernetes that are looking at adopting this free wax seal of software authenticity.
4: Incident response efficiency for security teams: Knowing who did what, where and when is a priceless mechanism for the necessary incident response work of security teams. No security engineer wants to burn time patching blind spots in their organization’s security posture and chasing mysterious packages. By requiring digital signatures on all code, software builds and artifacts, business leaders can set security teams up for greater success in the event of an incident or vulnerability because they have the track record documented and a clearer picture of where to start remediation.
There is no sugar coating it, software supply chain security is hard. It requires a cultural shift and investment by business leaders and security and developer teams. The silver lining, there is a growing community of people and organizations like the team here at Chainguard that are tackling this issue and creating efficient ways to strengthen the software supply chain to help business leaders manage the risks associated with it.