In 2020, the European Union predicted a four-fold increase in software supply chain attacks. Our friends at Unit 42 found that even a mature security organization’s software supply chain could be compromised with one exposed secret. Supply chain attacks come from a variety of locations, including poisoning the software components, stealing secrets to compromise an account, modifying code repositories to allow for exploits, and more.
Mapping all of the components and processes of a software supply chain is the first step to understanding the threat surface and focusing on security efforts. How do you know all of the possible attack vectors that code presents at each stage of the process?
That’s why we’re excited to announce our latest innovation—Software Supply Chain Security.
We now provide you with a single dashboard to capture all of the files, resources, and pipeline components that make up your code and ultimately, your cloud environments. By proactively identifying areas of an application or supply chain that are vulnerable to attack, this visualization provides a quick view into the posture of your application and a visual to assist in threat modeling.
No one can spot the potential for an exploit and pivot like a security-minded developer. Developers know the vulnerabilities left in their containers because the breaking change would make you miss your deadline. Developers know which dependencies would break if a database were to go offline to fix a misconfiguration. Software Supply Chain Security provides a visualization to spot those misconfigurations and vulnerabilities to understand the processes and components that introduced them.
See it in action in my video below or keep reading to learn more.
What is software supply chain security?
Let’s look at an example of a cloud-native application. For your application, you likely have one or more repositories. Those repositories contain a mix of IaC such as Terraform to provision infrastructure, manifests to configure Kubernetes objects, and container code with dependencies. This code is likely stored in a repository with a CI/CD pipeline to build and deploy the application to the cloud.
Each of those components can be broken down into their base components for a picture of all of your application parts. For example, your IaC files will contain multiple resources, your Kubernetes manifests will have multiple objects, and your containers contain multiple dependencies. Each of those, if left with vulnerabilities or misconfigurations when deployed, could contribute to a potential breach. Then you have the components of your delivery pipeline itself–your VCS, CI/CD pipeline, and cloud.
Mapping all of those components provides you with a complete code to cloud visualization. We then overlay the identified vulnerabilities and misconfigurations of those components and of the pipeline to give you a picture of the attack surface of your applications.
You can leverage this combination to threat model how a bad actor might exploit your supply chain. For example, if you notice a vulnerability in one of your Python dependencies, you can see how it’s tied back to a container that is in a Kubernetes cluster that has elevated that container to privileged. The best fix would be to patch that vulnerability and remove the elevated privileges.
How we built the Supply Chain Graph visualization
This new visualization is built on our graph-based backend and tracing capabilities. Nodes represent organizations, repositories, files, and resources, and edges represent the connections to the next layer. We take that graph and create a visual representation.
The final step is leveraging our tracing capabilities backed by Yor to tie the code resource to the running cloud resource. This completes the picture of the components and their connections from code to cloud.
Getting started with supply chain security
Securing your applications starts with visibility. Knowing where your misconfigurations and vulnerabilities exist in both code and cloud enables you to understand the full impact of a security issue and enables you to fix things in code. Hardening your VCS and CI/CD pipelines secures the foundational storage and delivery mechanisms of your application that would otherwise be a prime target for attacks. With Supply Chain Security, we’ve wrapped those two pieces together in a single visualization to quickly understand the components and processes that make up your application, and the possible attack vectors that need to be prioritized and prevented.