President Biden signed an executive order to protect the USA key infrastructure after a series of high-profile cyberattacks last year. Despite the fact that it focuses on fundamental security measures, the order recognizes an importance of cybersecurity and require companies that provide software to the U.S. government to meet specific security standards.
The three pillars of a secure software supply chain are:
Secure In Development
“Secure in development” refers to taking all reasonable precautions to produce clean code, including checking dependencies, analyzing code, and signing binaries, to find and repair issues as early as possible. Clean code is also important for development efficiency and release speed. Having a clean code from the start allows to make software delivery process more efficient.
Secure In Delivery
Secure in delivery means taking all required precautions to assure the safety of your software delivery pipeline. It entails putting safeguards in place for things that can go wrong throughout the software delivery process, such as:
- Deploy an integrated software delivery suite with automation capabilities.
- Create access and privilege controls for code, automations and all pipeline elements.
- Enforce entrance and exit gates for each stage of your delivery process.
- Develop a process to detect drift.
- Create a catalogue of immutable, approved components that are checked and updated on a regular basis.
Secure In Production
The typical cloud security posture management (CSPM) tools and application performance management (APM) tools come to scene after the software application goes into production. Their primary function is to monitor the program and send an alarm if something goes wrong, but they can’t eliminate the problem while your engineers build and test a solution. If you can’t respond quickly and seamlessly to a production problem, your supply chain can’t be regarded as a safe one.
Here are some things to consider while assessing your company’s current state and elaborating the next steps:
- Assess what a safe supply chain looks like for your company and agree on common definitions.
- Identify gaps, manual processes and head-in-the-sand assumptions in your software supply chain.
- Create a list of controls, policies and processes you lack, define assumptions and minimize manual processes.
- Maximize automation in your software delivery ecosystem to eliminate human error.
This is only the tip of the iceberg when it comes to establishing a safe software supply chain. Providing software is far too complex and critical to rely on a single department, it’s important to remember that application security is everyone’s duty — the security team and the DevOps organization.