Modern software development relies extensively on open source, third-party libraries and applications. Some of these components come from large vendors like Microsoft and Google, whereas others are built and maintained by independent developers who often have limited resources. Regardless of the source, each component represents a degree of exposure and risk to projects. This blog post looks at the problem and provides some suggested steps towards addressing it to secure the software supply chain.
Understanding the risks
The rise in supply chain attacks has put a spotlight on the vulnerabilities inherent in our dependencies. Attackers have realized that they don't have to directly infiltrate a target — instead they can attack an upstream component and potentially compromise all users of that component.
Lessons from SolarWinds
The most famous example of this is the SolarWinds attack. Attackers infiltrated SolarWinds’ build servers, injecting malicious code into their software releases. However, the attackers real target was not SolarWinds itself, but the thousands of organizations — including U.S. government departments — that used SolarWinds software.
Practical steps to secure your supply chain:
- Verify third-party artifacts: Ensure you know the origin of all components in your software, and programmatically verify their integrity and authenticity.
- Sign your images: Use tools like Sigstore to sign your container images, adding a layer of trust and verification to your deployments.
- Minimize software dependencies: The fewer components you use, the smaller your attack surface. This approach reduces the likelihood of vulnerabilities.
- Keep software up to date: Regularly update your software to patch known vulnerabilities. This simple step is crucial for maintaining security.
- Utilize security scanners: Tools like Snyk, Trivy, or Grype can help identify vulnerabilities by comparing software versions against known CVE databases.
- Adopt smaller base images: Using slimmer images like Chainguard Images can significantly reduce the number of vulnerabilities in your containers.
- Reproducible builds: Aim for builds that can be reproduced identically, ensuring consistency and reliability in your deployment process.
- Increase your SLSA level: Following the Supply Chain Levels for Software Artifacts (SLSA) framework can enhance the security of your build servers and systems.
- Implement Software Bill of Materials (SBOMs): Though challenging, maintaining a complete inventory of all components in your production environment provides instant insight on organizational exposure to new vulnerabilities.
Securing the software supply chain is a multifaceted challenge. By verifying third-party artifacts, minimizing dependencies, keeping software updated, and adopting secure and minimal base images, you can significantly enhance your supply chain security. A proactive approach is key to mitigating risks in today’s interconnected software development landscape.
Want to dive deeper into the world of software supply chain security? Discover more nuanced strategies and real-world examples by watching my talk at WTF is SRE? 2023 titled Building a Secure Supply Chain with Containers.
You can find me on X at @adrianmouat if you have any questions.