All Research
Whitepaper

Secure Software Supply Chains

Paul Fisher
Major cyber-attacks such as the SolarWinds and Kaseya incidents demonstrate the need to focus significantly more on software supply chain security as well as traditional cyber defense areas. Avoiding the code tampering that occurred in both of those attacks by criminals and internal parties is essential. This whitepaper looks at how to increase security throughout the Software Development Lifecycle and implement a multi-layered, defense-in-depth code tampering prevention and detection strategy. Beyond Identity was founded in 2019 and offers identity and authentication solutions in three critical operational areas: workforce ID management, customer ID management and DevOps ID management which assists in software security and code provenance in the Software Development Lifecycle.

1 Introduction

The term “Software Supply Chain Security (SSCS)” refers to the ability to secure the software development lifecycle (SDLC) process throughout the development, testing, deployment, and maintenance phases – at every point along the way, including along the whole CI/CD pipeline.

Industry awareness of software security has increased significantly since the end of 2020 due to two major attacks on software supply chains. The SolarWinds and the Kaseya attacks affected the systems of many clients and put an increased focus on the need for improving software security.

The SDLC (Software Development Lifecycle) and the entire DevOps cycle, from creating software to running it in the cloud or any other environment, have become much more complex over the past few years. It does not just affect code running as applications, but also building blocks such as Infrastructure as Code (IaC) and the newer trend of Everything as Code (EaC). This complexity is mainly due to the number of tools involved in managing code, such as Source Control Management (SCM) systems, as well as in building applications and deploying and operating code. Unfortunately, this complexity leads to a broadened attack surface.

From the SCM, where both application code and infrastructure-as-code are managed, to cloud-based build and runtime environments, the attack surface includes a multitude of tools that make up the CI/CD pipeline – including code repositories. Moreover, the high degree of integration and automation across the entire pipeline allows for lateral movement of attackers.

Therefore, securing the entire SDLC is both a challenge and an imperative. Code Tampering Prevention is a key element within software security and helps prevent internal or external attacks that tamper with code to create malicious software. Attackers might alter code or inject malicious code at any point, so code tampering prevention must span the entire pipeline.

Successful implementation of a secure SDLC with strong code tampering prevention, therefore, requires solutions that cover all stages of the software delivery pipeline from the SDLC to the runtime environment in an integrated manner.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Register
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the General Terms and Conditions