Security of the software supply chain is a noble, yet elusive goal.
This is just one example of the challenges confronting the security community in its efforts to improve security in the software supply chain. To gain a better understanding of the current landscape, theCUBE, SiliconANGLE Media’s livestreaming studio, collaborated with Red Hat Inc. in an event that focused on how organizations can manage the risks associated with enterprise software today.
Here are three insights you might have missed from theCUBE’s interviews during “How to Manage Digital Risk by Securing Your Software Supply Chain” with co-hosts Dave Vellante and David Nicholson. (* Disclosure below.)
1. Hackers have figured out there’s gold to be mined in attacking developers
Forget about launching a phishing attack on “Andy in accounting.” Threat actors are using social media and other resources to identify corporate software developers and target them specifically to gain access to the keys to the kingdom.
This is not a totally new development. The August 2019 “Threat Intelligence Bulletin” from cybersecurity provider Glasswall Inc. warned that the software developer had become the role most targeted by attackers going after assets in the technology sector.
What is becoming more apparent is that hackers are now devoting significant time and resources to load malware into tools stored in code repositories most likely to be used by the developer community.
WhiteSource Inc. just released a threat report revealing a significant uptick in malicious packages found in npm, the largest software registry used by developers around the world. Security researchers at JFrog Ltd. have found that attackers are using a “typosquatting” technique to trick developers by adding malicious code into software repositories through very slight misspellings of the filename.
And in one notable instance, hackers pirated source code from developers at an electronic game company. Rather than hold it for ransom, they auctioned the code off on the Dark Web for presumably more money.
“Quite often, a developer’s identity can be compromised,” said Luke Hinds, security engineering lead from the Office of the CTO at Red Hat, during an interview with theCUBE. “People will have a corporate account that gives them some sort of single sign-on access to multiple systems. If you look at a software supply chain, this is a mix of humans and machines, and both have flaws.”
2. When the dominos fall, global security can go south quickly
The fragility of the web-connected world has become more apparent in recent months. Breaches of the software supply chain have brought this into sharper focus.
In the networked economy, penetration of a single system by malicious actors can trigger a chain of problems on a global scale. An example of this scenario can be seen in what has become known as the Accellion data breach.
Accellion Inc., rebranded in October as Kiteworks, provides technology for moving large, sensitive files within networks. In December 2020, a cyberattack on a server for one third-party Accellion vendor resulted in the theft of personal information for clients of a number of businesses around the world. Since then, multiple organizations have reported being impacted by the breach, including Canadian aircraft manufacturer Bombardier, Morgan Stanley, Shell Oil Company, Reserve Bank of New Zealand, Kroger and the Stanford University School of Medicine.
Kaspersky’s annual “IT Security Economics” report noted that third-party incidents became the most-costly enterprise data breaches in 2021. This is the new reality brought on by supply chain hacks, where the impact can be felt far and wide.
“It’s the security of the enterprise itself, your customer data and your own internal corporate data is placed at risk if there were a supply chain breach,” said Vincent Danen, vice president of product security from Red Hat, in a conversation with theCUBE. “You want to be on top of that because there is that risk that trickles down when it comes to an event. If one company is breached, multiple companies end up being breached as a result of that.”
3. It’s time to put the “Sec” back into DevSecOps
Many IT practitioners agree on one thing when it comes to development, security and operations, or DevSecOps: Doing it is hard.
This doesn’t reduce its importance to the enterprise, particularly in a time when developers can influence so much of the security posture for businesses. The goal of DevSecOps is to bake security into an application and deployment process that is moving at light speed. Yet, the integration of security testing into continuous integration and continuous delivery pipelines creates friction and can be often sidetracked in the interest of time.
The problem has been that while many organizations claim DevSecOps practices, the reality is that security teams remain largely siloed and have failed to keep pace with the DevOps side of the business. Gartner believes this issue is on the path to improvement. The research firm’s most recent “Hype Cycle for Application Security” placed DevSecOps on the “Slope of Enlightenment” and headed toward the “Plateau of Productivity.”
The deployment of infrastructure as code and continued innovation in DevSecOps tools will have an impact. Yet the key, as recently outlined by Linux systems administrator Chris Tozzi in a blog post, will be a shift to collective security, where a single team no longer owns enterprise protection, but responsibility is instead spread across an entire business.
“The most important thing for folks to think about is adopting DevSecOps,” Newcomer said. “While many have adopted DevOps, they tend to forget the security part of DevSecOps. You need to close the loop between what issues are discovered in production and feed that back to the development team to ensure that we’re really addressing the supply chain.”
Watch SiliconANGLE’s and theCUBE’s complete coverage of the “How to Manage Digital Risk by Securing Your Software Supply Chain” event. (* Disclosure: TheCUBE is a paid media partner for the “How to Manage Digital Risk by Securing Your Software Supply Chain” event. Neither Red Hat Inc., the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)