Enterprise software development graduated from the “waterfall” framework of development and operations - and became less linear, more complex and, in several ways, more difficult to secure. And while contemporary software supply chain practices allow developers to manage that complexity and deliver software efficiently at scale, unaddressed gaps and vulnerabilities within the process continue to be exploited by threat actors.
That’s why security measures within every step of software development and supply chain must take top priority as attacks continue to be directed to the application layer — and often succeed in penetrating the network and executing malicious instructions.
Why does the software supply chain pose risks to the business?
As most developers utilize open-source software package repositories, such as NPM (Node Package Manager) or PyPI (Python Package Index), to build and develop new applications, this software supply chain acts as a vehicle for carrying those assets into various applications used within organizations. If production code is infected with malware or vulnerabilities, inadvertently sourced from the repository, it may contaminate all organizations that come in contact with it — whether by using the code already in their software development life cycle or by launching presumed trusted applications from 3rd parties who failed to validate their own code.
Of course, the implementation of scrutinous security measures, validation checks, and continuous monitoring of open-source code and development repositories is a requirement in any modern organization.
Risks in Software Development Life Cycle (SDLC)
The SDLC encompasses the initial design, development, testing and deployment of an application. The actions within the internal software development lifecycle often fall short in implementing critical security policies, processes, and controls, hence many attacks may not be detected by the security systems deployed.
That’s why it’s vital to establish security practices within the SDLC, from training developers on secure coding practices using open source libraries to factoring in detection capabilities including static analysis, dynamic analysis, software composition analysis and manual penetration testing. Implementing a secure SDLC process ensures that the development effort is protected by these activities, augmenting code reviews and infrastructure analysis.
How to prepare your company for choosing a solution
The security controls necessary to prevent and mitigate SDLC and supply chain cyber threats require stringent software installation and pathway tracking practices for all code and applications within your enterprise. However, to establish an IT infrastructure that allows those processes to be effective, it’s vital to determine the state of your current security measures and address any gaps. This assessment may be influenced by the security maturity level of your enterprise, which factors in existing skills, processes and technologies available.
Determining where your organization stands in the security maturity model will allow you to leverage a more comprehensive approach to cybersecurity. From defining manual processes within your organization to reviewing current compliance and audit standing, getting a full inventory of your enterprise’s security will prepare your company for choosing a solution. To establish your organization’s security maturity level, consider the following factors:
- Team awareness and security training
- Current operations and support
- SDLC security measures
- SOC gaps and threat visibility
- Incident Response (IR) times
- Performance in IT audits and compliance
Once you determine the maturity level of your enterprise, the next steps include improving appropriate measurements and metrics. Further automation, implementing new security guidelines and advancing the activities within the existing framework will allow your enterprise to progress its security measures and close gaps in the SDLC and supply chain operations.
Read our Supply Chain Research Blog on NPM package malware in The NPM package that walked away with all your passwords
Our Research Blog on PyPI package malware in SupPy Chain Malware – Detecting malware in package manager repositories
Or our Research Blog on ASUS Live Update attack in Forging the ShadowHammer