DevSecOps: Your Secret Weapon Against Supply Chain Attacks

“The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”

–Shannon Lietz, co-author of The DevSecOps Manifesto

There has been a surge in cloud adoption and digital transformation in every industry, whether for remote and hybrid work or simply due to ease of access. However, there are risks inherent in moving data to the cloud, as recent supply chain attacks have shown. More than 10 million people have been affected by supply chain attacks in 2022, a rise of 742%.

While supply chain attacks are not new, they are some of the most insidious cyberattacks because they exploit the implicit trust relationships between vendors, customers, and virtual communication channels.

For example, in the infamous SolarWinds supply chain attack, threat actors planted a bug in the company’s Orion software, a popular network and applications monitoring platform. In this case, hackers inserted malware into a platform plugin. Companies and government agencies all over the U.S. used the software both in their offices and their remote teams.

Attackers then forged access tokens, allowing them access to privileged accounts by impersonating existing users on the network. Because the Orion platform was inherently trusted by its users, this seemingly innocuous software update got downloaded onto thousands of machines. It was so far-reaching that the U.S. Department of Homeland Security issued an emergency directive.

We still don’t know how extensive the implications of that attack were, even two years later. However, what we do know is that the SolarWinds hack involved the use of COBALT Strike Beacon, well-known malware, for the backdoor. Security analysts theorize that the SolarWinds attack could have been prevented if the DevOps team had been on their game. We know that the Russian-based threat actors injected malicious code directly into the build environment. The breach cost the company about $40 million and caused them to revamp their entire build process using a “Secure by Design” initiative.

The State of the Supply Chain

The recent surge of supply chain attacks has highlighted their severe impact; more importantly, it demonstrates that most organizations are woefully unprepared to prevent and detect such threats. Reports state that 77% of organizations say aligning security tools with security goals is challenging.

In their 8^th Annual State of the Supply Chain Report, Sonatype analyzed a set of over 12,000 libraries commonly used in enterprise applications. They found that only 10% had a vulnerability directly in their code. However, when including transitive vulnerabilities inherited from transitive dependencies, 62% had a potential vulnerability. They found that each library had about 5.7 dependencies. They estimate that 1.2 billion dependencies are downloaded every month.

But there is good news—96% of known-vulnerable open-source downloads are avoidable.

In this blog, we’ll discuss exactly that–how your enterprise can leverage open-source code safely, avoid known threats, and strengthen security from the ground up through Development, Security, and Operations (DevSecOps) practices.

DevSecOps: Keeping the Supply Chain Secure

As the name implies, DevSecOps is a set of practices that combine development, security, and operations.

But DevSecOps is also a cultural mindset to security, in which security controls are embedded throughout the entire software development lifecycle.

It’s a shift-left paradigm in which the development team adds security to every phase of software development. It ensures security through a multi-layered, defense-in-depth posture to mitigate the risk of supply chain attacks. Businesses that employ a DevSecOps framework will enhance breach prevention, add business value, and protect their reputation by delivering safer products and services.

DevSecOps allows teams to address vulnerabilities before they occur. Organizations can increase their defenses by continuously updating, patching, and removing malicious code with automated tools, advanced testing and scanning, and reviewing all third-party software and code. DevSecOps provides increased visibility into code changes and potentially weak third-party code by automating security scanning.

DevSecOps can reduce supply chain attacks simply because it boosts security at every level. DevSecOps practices help improve visibility into the software supply chain, which can help identify potential vulnerabilities and risks. It can help automate security testing, pinpointing and quickly fixing vulnerabilities. In addition, DevSecOps promotes collaboration between security and development teams, which have often been siloed in the past. Better communication between disparate groups means security is baked in throughout the software development lifecycle.

In the case of SolarWinds, that organization potentially could have identified and disclosed the vulnerability in the code before the update got sent out. While the new “Secure by Design” initiative is laudable, it may be a case of closing the barn door after the horse has fled. In addition to the $40 million the attack cost the company initially, the damage to their reputation may be permanent.

DevSecOps is not a silver bullet for supply chain attacks, but it can help to mitigate the risks. By following DevSecOps practices, organizations make it more challenging for attackers to exploit vulnerabilities in their software supply chain. Your enterprise will significantly reduce security vulnerabilities and maintain superior control throughout the application lifecycle.

At VerSprite, our approach is to work directly with your development processes. We support any number of CI/CD platforms and your process for infrastructure as code. We can support your delivery environment, even container orchestration systems. If you use it, we will support and automate it, making for seamless integration with your DevOps team.

For a more thorough investigation of threat modeling and DevSecOps, be sure to check out this blog.