It began with a seemingly innocuous Twitter message in mid-December of 2020 from SolarWinds Inc. advising customers to immediately upgrade their Orion platforms. Few knew or suspected at the time that a vulnerability uncovered by the security software provider would become one of the most sophisticated and far-reaching hacks in modern history.
The 18-month anniversary of the SolarWinds breach discovery is upon us, yet the technology industry continues to confront the challenges of software supply chain security. A recent study from Argon Security found that software supply chain attacks grew 300% over the course of 2021.
The popularity of open-source software in the cloud-native world has made securing the supply chain an ongoing challenge. The multitude of contributors complicates protection, and many commercial codebases have open-source dependencies that lack development activity, raising the likelihood that security fixes are out-of-date.
Moreover, industry studies have uncovered a knowledge gap around crucial security principles for container runtime controls. A “2021 Cloud Native Security Survey” of 150 cloud-native IT security executives found only 3% recognized that a container by itself is not a security boundary. The application world is reshaping much of IT, and security practitioners are being forced to adapt accordingly.
“Securing IT environments, and especially containerized ones, is a formidable challenge,” said Joe Fitzgerald, vice president and general manager of the Management Business Unit at Red Hat Inc., in an interview with theCUBE, SiliconANGLE Media’s livestreaming studio. “The complexity and scale of modern application deployments doesn’t have equals in history.”
Protecting build and delivery
There has been activity within the cloud-native community over the past several months to address security challenges in the software supply chain. Among the most notable was a decision in March by the Cloud Native Computing Foundation to accept the in-toto project for incubation.
The goal of in-toto is to cryptographically protect the software build and delivery process from compromise by malicious actors. This is accomplished through a verification workflow for all supply chain steps, including authorization of the coders themselves. SolarWinds and Datadog Inc. are two of the organizations that have adopted in-toto for production.
The project was co-developed by academic researchers from Purdue University, NYU and the New Jersey Institute of Technology. In-toto was first presented in August of 2019 by Santiago Torres-Arias, assistant professor of electrical and computer engineering at Purdue, in a paper delivered at the USENIX conference.
“As it moves from development to testing to packaging, and finally to distribution, a piece of software passes through a number of hands,” said Torres-Arias, in his paper. “By requiring that each step in this chain conforms to the layout specified by the developer, it confirms to the end user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code.”
Tracing from the source
In addition to the incubation project at CNCF, there have been a number of new developments in software supply chain security led by the private sector.
One of these involves a proposal by Google regarding “Supply Chain Levels for Software Artifacts,” or SLSA. The solution originated from “Binary Authorization for Borg,” an internal framework used by Google for the company’s production workloads.
SLSA is designed to protect against common supply chain attacks by allowing users to trace released software all the way back to the source. The focus is on build and source provenance, documenting who created the software along the way and how the source code was protected.
In early April, Google said that it had been working with GitHub Inc. on a forgery-proof process for signing source code that leveraged SLSA and other verification initiatives, such as Sigstore. Google’s initiative with GitHub highlights a key focus on baking security into the development process itself. It is aimed at embedding security into DevOps platforms in an effort to strengthen integrity of the software supply chain.
“The best solutions are the ones that can comprehensively test these software components in a way that’s non-disruptive to development processes,” said Melinda Marks, senior analyst at ESG Research, in an interview with SiliconANGLE. “This is not an easy task, but more of these testing processes are getting better incorporated into development tools and workflows while giving security teams a view of testing status and results.”
Coordinated EU action
Concerns around software supply chain hacks have expanded to include the public sector as well. A recent gathering of tech industry leaders hosted by the White House in January discussed U.S. preparedness for attacks against the software supply chain infrastructure, and European governments have been especially interested in addressing the subject over the past year.
In July, the European Union Agency for Cybersecurity issued a report that analyzed 24 supply chain attacks. The ENISA evaluation found that two-thirds of suppliers who were victimized did not know or failed to report how they were compromised. The organization issued a call for coordinated action at the EU level by monitoring documented security vulnerabilities and maintaining an inventory that includes path-relevant information. In late January, EU governments staged a large-scale simulation of cyberattacks against member states in an effort to stress-test Europe’s resilience and improve preparedness.
Understanding of software components has moved from being a casual part of running a business to an imperative in protection of the national state.
“It is wise for global governments to set up standards for software supply chain security,” Marks noted. “The businesses may be driven to release products or conduct more transactions, but if they do not understand their software components and they don’t take the steps to make sure they are configured properly, or make sure there are no coding flaws, it leaves them vulnerable to attacks. When we think about critical infrastructure, manufacturing supply chains for goods and services, we don’t want them vulnerable.”
Protection of the software supply chain itself will ultimately depend on investment in new technologies to secure the pipeline. Projects such as those incubated by CNCF or Google, along with recent actions taken by world governments, offer a framework for what will be needed to protect software workflows.
When Red Hat Inc. issued its “Global Tech Outlook” report last year, it noted that security was ranked as the number one funding priority for IT.
“Security has historically often been underfunded and under-prioritized, but there’s quite a bit of evidence here and elsewhere that a shift may be underway,” said Gordon Haff, Red Hat technology evangelist, in an interview. “Supply chain is a hot topic everywhere.”