6 Steps to Securing Your Software Supply Chain

As the software supply chain has become global, there are increased concerns that applications may contain vulnerabilities or be substituted for compromised products during delivery or possibly during installation. Even without these direct attempts to compromise the software supply chain, vulnerabilities are often inadvertently introduced during development. Enterprises must take full responsibility for ensuring the security of both proprietary and third-party applications.

Securing the software supply chain has been a top concern among security providers, developers and global enterprises for years. In 2009, the Software Assurance Forum for Excellence in Code (SAFECode) released The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain, intended as a guide for addressing software supply chain vulnerabilities in an efficient and cost-effective manner. The report outlines a number of essential considerations for making the software supply chain safer for developers, enterprises and end consumers. Veracode’s secure software supply chain toolkit also contains an abundance of up-to-date resources for making the right decisions throughout the development and supply chain process.

1. Thorough Testing of Software of Unknown Pedigree – To secure the software supply chain, it’s important that each transaction and change of hands is authorized, verifiable and transparent. This leaves less likelihood that entities with malicious intent would intentionally introduce vulnerabilities, knowing that it would likely be traceable.

Enterprises making use of software of unknown pedigree (SOUP) face additional challenges, usually necessitating the use of third-party application security testing to identify potential vulnerabilities. SOUP isn’t necessarily developed with malicious intent, but it’s often outdated code that has changed hands multiple times, been modified and adapted to meet various needs and hasn’t undergone adequate testing in its current form or application.

2. Minimizing Access Privileges – Software applications are a conglomerate of hardware components, portions of code obtained via various sources, cloud services, networks and outsourced operations. It’s no surprise that multitudes of individuals will have access to critical components throughout the product lifecycle. When access controls are implemented, restricting access to only what is necessary to complete tasks, the risk of compromised code or components being introduced is minimized.

3. Distributing Controls and Responsibilities – During development, no single individual should have total access or the ability to unilaterally change data. Incorporating cross-checks, distributing controls and responsibilities and sharing the responsibility for application security makes it more difficult for a single person or entity to intentionally introduce malicious files or vulnerabilities.

4. Incorporating Tamper-Evident Safeguards - When software will undergo several phases of development and pass through the hands of multiple entities before reaching the end user, incorporating safeguards that provide evidence of tampering can both prevent and provide a means for quickly identifying and reversing attempts to insert code and files with malicious intent.

5. Apply Compliance Standards and Regulations – Universal compliance standards are necessary for ensuring the security of the modern software supply chain. Enterprises must set clear expectations and requirements of vendors—including the vendors serving direct suppliers. When enterprises and vendors work collaboratively to bring applications to the market, mutually agreed-upon compliance regulations, combined with cross-checking and distributed responsibility serves to keep partners on the same page with the shared goal of bringing safe and effective applications to the software market.

6. Third-Party Application Testing – Regardless of the safeguards incorporated throughout the supply chain, third-party application testing and code verification, such as vendor application security testing (VAST) is an essential final step in the process. Third-party application testing solutions detect vulnerabilities otherwise overlooked, and offer recommendations for eradicating risks before applications are delivered and installed.

Securing the software supply chain, especially globally, requires a significant commitment and investment from the software development community, as well as the enterprises they serve and the vendors which serve them. Software supply chain security is a collaborative effort that neither begins nor ends with a single entity. While great strides have been made in creating a solid framework for software security, the risks remain. Without adequate safeguards and stringent testing, modern enterprises are open to a variety of vulnerabilities introduced either intentionally or unintentionally throughout the product lifecycle.

Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.