When reflecting on the history of software, it’s mind-boggling how far the IT industry has come from the early days of waterfall development practices and monolithic, clunky applications. This evolution of software has filtered into business models as most industries have embarked on a journey of digital transformation. As the world becomes more software-oriented, businesses are building and deploying new applications to keep pace with customer demands and an evolving threat landscape. Cyber-attacks are industry agnostic and while increased reliance on technology brings opportunities, it also provides more pathways for criminals to attack a business. While companies work to continuously improve their offerings for their customers, they also must ensure they remain secure throughout every stage of that process; from development to delivery, to production. Without a secure software supply chain, business innovation will stall before it ever gets on the road. A Vulnerable Chain despite 95% of respondents feeling very confident about the security of their software supply chain, more than half (58%) of C-level executives do not know how to troubleshoot a ransomware attack or who to turn to for help. This calls to question whether C-level executives truly understand the potential pitfalls if they do not understand how to fix an issue if it were to arise. When surveyed in 2021, Leaders who believe their software supply chain is completely secure, need to reevaluate their position as there are many potential security gaps that could lead to significant business disruption. You don’t need to look very far in the past to see the devastation a ransomware attack can cause. The Kaseya ransomware attack put more than because they used vulnerable versions of Kaseya’s VSA software. 40,000 organizations at risk of an exploit Thinking about a secure software supply chain within an organizational framework can be overwhelming. Most businesses work with multiple suppliers and the more third-party organizations that an enterprise relies on, the more ‘links’ there are in the business’ software supply chain. A longer chain will naturally create more potential points of failure or vulnerability for hackers to exploit. To ensure that an enterprise software supply chain is as secure as possible, security is needed at every step in the chain. This means being secure from the designing and writing of code through to delivery and into production. Secure in Development When discussing best security practices, many experts discuss the importance of security hygiene. This includes the basics like password security, employee training, and threat detection. Similarly, clean code is the foundation of development efficiency, release velocity, and overall application security. Clean code – code that is secure, easy to understand, and easy to change – must be established from the beginning. The alternative can lead to many downstream problems, especially when issues are discovered after code has been released after production. It is critical that developers understand the importance of preventative security measures, and embed these measures as they create code. This is often referred to as ‘shifting left’, but putting a majority of the burden for ensuring software security on developers is not a viable, long-term solution. In the software supply chain, it only takes one weak link to compromise the strength of the whole, and often enough that weakness is not visible to the engineering teams. We need to provide and implement a DevOps ecosystem that ensures the security of the software supply chain and asks developers to only fix the issues that exist within their code. Such an approach is imperative to maintain developer productivity. Secure in Delivery Being secure in delivery requires monitoring for all the potential things that may go wrong during the delivery process aside from the code itself, and this is where automation is key. Automation is a fundamental step to ensure that the entire software supply chain is secure, and can eliminate any human errors or identify steps that may have been missed. Even if code is highly robust, without a secure delivery pipeline code is still vulnerable to human mistakes, or malicious actors. Alongside automation, organizations should set up access and privilege controls for the code and the pipeline itself. Ensuring that the right people have the right access to systems is paramount when maintaining security. Above all, a company’s code and pipeline are only as secure as its security measures, and by implementing security at every step of the journey – from development to delivery to production – companies can build a sturdy and secure supply chain. Not only are legacy brick-and-mortar industries turning to software-first strategies, but for many businesses, the software is now second nature. There isn’t an industry today that can afford to fall victim to a security breach, especially one which could be prevented by a holistic, end-to-end software approach. To secure future innovation, businesses need to familiarise themselves with the potential weaknesses in their software supply chain and work to fix them quickly, or they risk being the next company to fall victim to attack. Secure in Production Once code is deployed, it’s not a case of it being “out of sight, out of mind.” Releases are happening so frequently and quickly, and even once code is deployed, it is essential to keep track of the code. And, it is just as important to ensure that IT teams are able to respond quickly as soon as a security issue emerges. When detecting and fixing problems there are two key industry metrics that are important to consider – mean time to detect (MTTD), the duration of time it takes to spot an issue after the software is released, and mean time to repair (MTTR), the duration of time it takes to fix the problem that is detected. From the moment a serious vulnerability appears, there is an automatic countdown that starts between detection and remediation, and the actions security teams take during this time directly affect the outcome. While speed is of the essence, so is precision. This is where new, quick-response techniques come into play, like automated rollbacks and , ensuring teams can remediate the problem efficiently and effectively. feature flagging An optimal security strategy should also include a continuous compliance system that works in tandem with a good mitigation system. The best system will act in the style of a feedback loop that connects the enterprise’s entire supply chain to the coding system and will go beyond the bounds of simply detecting violations against security and compliance rules by triggering mitigation and providing clear and specific instructions on how to fix the issues at hand.
