The speed at which an organization can develop and deliver software is a key driver for business success. Teams are constantly tasked with finding new ways to work as efficiently as possible, often turning to open-source libraries and components to speed time-to-delivery. In fact, studies indicate as many as 97 percent of all apps in the market use open-source software.
While open-source repositories are helpful time savers, they have also become a prime target for cybercriminals. By compromising just one software package in an open-source library, these bad actors are able to gain backdoor access to multiple organizations and infect the work of millions of developers worldwide.
In the “race to production,” it’s absolutely critical that speed doesn’t come at the cost of security. Here are three practical steps you can take to minimize risk in your software supply chain.
Ensure that the open-source libraries you’re using are being properly scanned: In 2022, more than 10 million people were impacted by software supply chain attacks targeting 1.7K entities worldwide – nearly all of which included some element of faulty or nefarious open-source code. When you look at the associated numbers as explained below, this isn’t surprising.
Industry research shows that in NPM alone there were 95,000 new packages added in January alone. Beyond this, there were 750,000 new versions of existing packages updated to the library. While the libraries would undoubtedly want to ensure that this code is legitimate, the nature of open source means that verification is almost impossible. Therefore, the onus falls on companies to ensure that these packages are safe to be added into their development supply chain. An analogy that’s been used to describe the open-source relationship is Wikipedia: While it’s a fantastic, free resource and it’s on the individual using it to verify the accuracy of the information.
Organizations can achieve this level of scrutiny in a scalable way by connecting to open-source repositories and scanning meta-data associated with packages or updated versions in order to understand the context around them, such as: Whether they’re associated with malicious activity or vulnerabilities, or how recently they were created. By answering these kinds of questions, developers can forward the code into the next stage of development within their own ecosystem with increased confidence that it’s safe.
Developing an approach ‘beyond’ Shift-Left:
The shift-left model of checking your open-source components as near to the point of entry as possible is an approach that has served organizations well. It’s been a welcome move from the early, “Wild West” days of software development, where code was only checked at the final stages, forcing the process to start over from the beginning if problems were identified.
As software development continues to mature, the organizations that take software security the most seriously will be looking for an approach that goes beyond shift-left.
This can be accomplished by checking components for vulnerabilities prior to introducing them into your integrated development environment. You can do this by creating a curated entry-point, where incoming open-source packages can be checked against the policies your organization has tailored to its specific needs, and filtering out the open source that doesn’t meet the criteria before it even enters your environment.
Centralize these security measures within a single platform:
Undertaking the two activities highlighted above will make for a more cost-effective way to manage potential security issues in your software supply chain. Additionally, working with a solution that’s specialized in these areas can also help you stay on top of security issues that may arise in later stages of the software development cycle.
As we know, open-source databases are incredibly fluid and in constant flux. If a package passes both the scanning and pre-shift-left safeguards, there still isn’t a 100% guarantee that it’s safe. Working with a solution that understands every stage of this lifecycle means that if something is discovered to be malicious, organizations can take the appropriate remediation steps at any point throughout the development process.
A security-focused software supply chain platform that helps automate and secure the entire software build and release process with best practices like those noted above can help developers accelerate software delivery while strengthening their organization's security posture.
Prioritize your software supply chain security
The open-source ecosystem that most of our software development relies upon is here to stay. The convenience and speed of these libraries is unparalleled, making it a necessary resource for modern development teams. Because of the nature of these environments, however, it’s the responsibility of the individuals and organizations using them to ensure they’re doing so safely and securely.
By applying these three steps, you can continue to drive innovation and efficiency in your development workflows, while employing top security practices at your organization.