Eilon Elhadad
The National Cyber Security Centre (NCSC) has issued practical steps to help tackle the significant increase in the number of cyberattacks resulting from supply chain vulnerabilities. To support this initiative, companies should minimise the complexity of the process, choose as few security vendors as possible, and build adoption programs, explains Eilon Elhadad, Senior Director, Supply Chain Security, Aqua Security.
The UK government is undertaking a major digital transformation initiative, which includes ambitious plans to help the public sector improve its cyber resilience. The Government Cybersecurity Strategy aims to ensure that essential government services remain resilient in the face of increasing cyber threats.
This poses a significant challenge. 777 incidents were handled by the NCSC between September 2020 and August 2021, and around 40 percent targeted the public sector. In 2020, both Redcar & Cleveland and Hackney Councils were struck by ransomware attacks, negatively affecting council tax, benefits and housing waiting lists. Gloucester City Council was then the subject of a further cyberattack in 2021. Clearly, cybercriminals see the public sector as low hanging fruit.
In addition, high-profile cyberattacks, such as the cyberattack on SolarWinds and Log4J, have focused attention on the resilience of the supply chain. These attacks demonstrated how vulnerabilities in third-party products and services can be exploited by cybercriminals and hostile states, hitting hundreds of thousands of organisations at the same time.
The simple fact is that software supply chain breaches are rising fast: increasing by 300% in 2021. Malicious attackers are targeting source code and associated dependencies to create vulnerabilities and backdoors to applications. Supply chain security fears come in many forms: insecure open-source software, container image vulnerabilities and unauthorised access to code are just a few of the concerns. These can inhibit wider adoption of new approaches and create compliance and risk exposure. The question is: how can we more effectively protect the supply chain?
Building bridges to protect the software lifecycle
The first step is to build a bridge between security teams, DevOps and developers with an end-to-end solution that is specifically designed to stop software supply chain attacks. CISOs should seek out a solution), which will defend against supply chain threats from code all the way through to runtime and ensure protection during the entire software development lifecycle, across both the application and the infrastructure that underpins it.
- The supply chain security solution itself should provide automated code scanning that empowers CISOs to assess resources drawn from third parties without exiting their workflows. Other beneficial features to look out for include:Zero-trust CI/CD posture management that enforce Least Privilege Access and minimise security risks that arise from potentially dangerous misconfigurations in DevOps platforms, such as GitHub, Jenkins, Nexus. It will also quickly highlight insider threats, such as bulk changes to user account access, the removal of required security checks, or changes to a sensitive code repository.
- Automated controls which can spot new or non-compliant CI pipelines and apply customisable security assurance policies at the touch of a button. These should also enable the creation of individual enforcements that will ensure every newly built artifact is signed and scanned for vulnerabilities, secrets and Infrastructure as Code (IaC) misconfigurations.
- Next-generation software bill of materials (SBOM) abilities which allow developers to record every action on the road to final artifact creation. Using this capability means developers can be assured that the code they create is the same code that ends up in production.
- Automated open-source health evaluations which score every open-source package and provide real-time alerts to developers when potentially dangerous packages are detected.
Make defence in depth a priority
Malicious cyberthreats are penetrating the software supply chain with increasingly sophisticated attacks on the cloud native stack. Therefore, organisations must ensure that security is embedded in the application development cycle so they can identify and remedy security threats before they cause problems in production.
The Systems Sciences Institute at IBM conducted research that confirmed that it costs six times as much to fix a bug at deployment and 15 times more during testing rather than repairing it during the design phase. This means that choosing a CNAPP with integrated supply chain security, automated alerts and acceptance gates across the whole code and build stages will provide a considerable financial upside too. It will also make developers happy by eliminating the complicated security barriers that would otherwise block them from maintaining pace with ever faster shipping cycles.
If your organisation wants to introduce proactive security to your software supply chain and ensure release quality, a CNAPP solution which includes end-to-end integrated dynamic threat analysis and runtime defence features is the best choice. It will provide Day One security that halts cloud native threats before they can cause any damage.
Learn more about securing the software supply chain in the public sector during an upcoming expert briefing with Aqua, AWS, GitLab and Contino on December 6. For those interested in uncovering the current risks in your supply chain, sign up for a free risk assessment.
Recent Comments