Want to Triple Your Supply Chain Security?

By 
Cassie Crossley
,
and
January 30, 2022

Codecov. Kaseya. Microsoft Winget. The year 2021 will perhaps be defined by these names in the cybersecurity space. Software supply chain attacks have increased significantly, and as many as 97% of firms in BlueVoyant’s annual global survey were affected. Attacks increased by 37% year-on-year in 2021 according to the survey. 

As the old saying goes, you are only as strong as the weakest link in the chain. And software supply chain links are frighteningly weak in many places, affecting not just the company itself but also the stakeholders associated with it. This demands stringent measures to be placed at three different levels to secure the overall supply chain:

  • Incoming materials like third-party software, libraries, services, and other dependencies. 
  • Outgoing materials like your deliverables and software components. 
  • Internal processes and infrastructure, which include your identities, signature keys, network, and other digital footprints.

The sophisticated Codecov breach, for example, could have been prevented had there been multi-factor authentication, signature code checks for integrity, and threat detection tools in the CI/CD pipeline.

What are the challenges?

The complexity of the supply chain is often a deterrent. Vendor supply chains are closely interlinked and sometimes untraceable, which creates unbreakable dependencies. This multi-layered set-up means that information can be processed by vendors practically invisible to you.

Untangling supply chain visibility and traceability is an expensive process and implementing security processes comes at an added cost. For many companies this is rarely allocated in their cybersecurity budgets.

Companies struggle to assign third-party cyber risk responsibilities within an organization. Who should take ownership - the CIO, CFO, CISO? This points to a deeper issue - the definition of third-party risk continues to be vague. 

Organizations do follow up with vendors when a risk is detected but in many cases vendors themselves are unaware of the impact and therefore hesitate to implement additional measures. Vendors lack education and training in cybersecurity processes, controls and management, which affects companies directly. 

The impact of an attack is expansive

The Codecov attack remained undetected for over two months, which caused damage to the company’s reputation and disrupted hundreds of customer networks. According to Codecov, security keys, tokens, and other critical information could also have been stolen. Twilio, a cloud communications platform, was one of the companies affected and who publicly disclosed the loss of email addresses due to the Codecov attack.

The impact of a software supply chain attack is felt across different channels and affects multiple people and organizations in different ways. Entire businesses come to a standstill when essential software, infrastructure, or operations are compromised. The Kaseya ransomware attack affected over 1500 companies including the Swedish supermarket Coop which closed multiple stores while their cash registers were offline.

How implementing DevSecOps can help 

According to Gartner’s research, nearly 45% of organizations will experience a software supply chain attack by 2025. But aligning company culture to a ‘shift left’ approach and implementing DevSecOps will reduce the risk that your organization does not fall victim to an attack. 

DevSecOps improves your security posture at different levels across the supply chain in the following ways. 

  • Gain deeper clarity into dependencies
  • Integrate automatic SAST (static application security testing) and DAST (dynamic application security testing) into the development process to protect the CI/CD (continuous integration / continuous delivery) pipeline
  • Make it mandatory to check software for vulnerability before committing or merging
  • Reduce manual security processes and implement automated artificial intelligence / machine learning tools
  • Invest in secrets management security solutions to ensure utmost safety in a multi-cloud environment

However, DevSecOps comes with its own set of implementation challenges and is just one way to improve software supply chain security. Additional security measures are described in The Purple Book of Software Security, Chapter 2, Software Supply Chain Security.

What is the Purple Book Community?

The challenges that DevSecOps pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about. 

The Purple Book Community comprises top-level security thought leaders and practitioners. Initially, it brought together 29 industry experts to write a comprehensive book about DevSecOps, AppSec, and product security perspectives, best practices and case studies. This book is offered free for the benefit of the broader community.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to show how businesses can steadily add robust layers of security by adopting application security, product security, and DevSecOps. It helps companies accelerate their processes by learning from experienced practitioners. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.


Participate in the community!

The community meets twice a month to talk  about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. To know the latest updates and participate in events, check out the community’s LinkedIn page

VP, Deputy Product Security Officer, Schneider Electric