Threat Watch

Secure Software Supply Chain: Why Every Link Matters

New threats in software development are not only related to the specific company itself. The whole software supply chain is a target for attackers, and it is really important to make sure that effort is put into securing each link because if one fails, everything will be affected. Supply chain activities include each step of the transformation of raw materials, components, and resources into a completed product, and its delivery to the end customer. Each step could be a complex process itself and cause a security incident. The software supply chain is similar to other activities or industries. Some resources are consumed, then transformed, through a series of steps and processes, and finally supplied as a product or service to a customer. In software, the raw materials are common libraries, code, hardware, and tools that transform code into a final deliverable. This deliverable can be deployed as either a user-facing application, a service (starting over with the same supply chain loop), or another package artifact that is included as a dependency, part of a different product.


Software supply chain attacks are increasing at an exponential rate of 4-5x per year, with several thousand last year, the most common being related to dependency confusion or typosquatting, followed by malicious source code injection. Measures to take to secure the software development life cycle include, but are not limited to:

1) Applying threat modeling to identify key or potentially overlooked testing targets.
2) Automated testing.
3) Code-based (static) analysis, using a code-scanner, and reviewing for hard-coded secrets.
4) Dynamic analysis, with built-in checks and protections, black-box and fuzzy testing, web-app scanner, etc.
5) Applying similar checks to included software (third-party dependencies).
6) Fixing critical bugs as soon as possible.

Furthermore, Kubernetes and containers are so common these days that NSA/CISA released a Kubernetes Hardening Guidance, highlighting “supply chain risks” as one of three sources of compromise, and proposing the following hardening measure and mitigations:

1) Scan containers and Pods for vulnerabilities or misconfigurations.
2) Run containers and Pods with the least privileges possible.
3) Use network separation to control the amount of damage a compromise can cause.
4) Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
5) Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
6) Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.