How can India achieve immutability in software supply chain
Far too many organizations are still trying to apply traditional cybersecurity tactics to modern cloud infrastructure deployments. And as Log4Shell makes clear, organizations overlook obvious security failure points throughout their software supply chain, from initial code creation to how updates are rolled out to users.
Supply chain or third-party attacks exploit weaknesses in software components and delivery pipelines to exploit and compromise cloud-based applications. The more complex the cloud application, the more distributed the infrastructure and the larger the attack surface. But there is a positive side: with cloud-native technologies, security can be built into the software at the time of writing the code.
Threats Associated with Third-Party Cloud Applications
Third-party cloud applications are a fertile entry point for attackers because they are designed to be exposed to the internet. Although all modern cloud applications are designed with safety, security and availability – their cyber resilience – in mind. In their mind, they have various vulnerabilities and cloud misconfigurations. These allow attackers to access the cloud network and breach critical company databases.
Modern cloud apps integrate with multiple third-party APIs for notifications, monitoring, data aggregation, and analytics. Any security risk within third-party APIs and the cloud on which third-party APIs run presents a risk of supply chain attacks. This is also the reason why APIs are increasingly targeted by criminals, as they are the low-hanging fruit of cloud-native applications.
In addition, certain supply chain components for cloud applications are sold and delivered by third parties through cloud marketplaces. Major cloud providers typically host a marketplace where millions of third-party cloud products and applications are sold as components of the supply chain. All of the vulnerabilities and risks in these applications present risks to the cloud infrastructure and the SaaS applications that use them.
When managing security risks associated with third-party applications, organizations require DevOps and security teams to lock in to ensure that there is a complete and up-to-date inventory of all APIs used in the various applications at the within the organization. Simply locating misconfigurations will not be enough, but they will need to be corrected quickly. Any security tools used should be explicitly designed to support both developers and security teams to avoid creating a bottleneck in the DevOps process. CISOs should consider adopting tools that understand the broader context of how APIs fit into the system.
Securing the Supply Chain with IaC Security
Most applications used by businesses often contain code that IT teams did not write, especially code used from open source libraries. Organizations cannot control cloud vulnerabilities and misconfigurations introduced by these open source dependencies, posing significant security risks. If any of these dependencies have a vulnerability, it’s likely that the organization using the code is also vulnerable. At runtime, identifying and fixing these flaws becomes far too expensive.
In cloud-native technologies, attackers focus on exploiting off-the-shelf web application software vulnerabilities in the supply chain components used to build cloud applications. These vulnerabilities help attackers extend their attack radius. What organizations need in such circumstances is software that is secure by design. Although infrastructure as code (IaC) brings great benefits in terms of rapid deployment, it can also be used to build security into the code itself so that it is immutable. IaC security tools can programmatically detect and fix cloud infrastructure misconfigurations and prevent unresolved misconfigurations in software at runtime.
Automated IaC security tools can not only detect vulnerabilities, but also provide DevOps teams with rapid fixes, ensuring compliant runtime changes and automatic fixes to address configuration drifts. It’s a proactive approach to security that scales at the speed of the cloud. These tools not only provide centralized visibility of all cloud vulnerabilities and misconfigurations, but improve risk detection, lack of encryption, and prevent the deployment of malicious code at the software development stage.
Leveraging IaC will create a new world order for securing software supply chains. Legacy cloud security tools have, time and time again, attempted to address security issues in the cloud, but failed to take advantage of its full capabilities. This traditionalist approach to identifying security vulnerabilities at runtime is not only costly but inefficient, as it allows supply chain vulnerabilities to seep into the network. It is much more efficient for organizations to identify and fix flaws in the code used to build the environment in the first place. When security enables DevOps effectively, software becomes resilient by design.
The author is Vice President of Engineering, Tenable titled – Achieving Immutability in the Software Supply Chain. The opinions expressed in the article are those of the author.