3/13/2023 0 Comments Solarwinds teamcityNext-Generation SCA: Pipeline Composition Analysis To state it in even simpler terms: You can’t protect what you can not see. The fact is that you need visibility, which is something that traditional SCA tools can not give you. Scanning only application code is not going to protect you. When the tools that help create and deploy your application are providing attackers access to your application, you need to be watching those tools and hardening your infrastructure to prevent attacks. Scanning application code dependencies like open source libraries would not have prevented this software supply chain attack.Īttacks on development infrastructure are increasing. In this example, a malicious actor altered a Codecov bash uploader script so that downstream customers could be compromised and their credentials stolen. Still think that SCA is enough to provide comprehensive supply chain security? You only need to look to Codecov as another high profile software supply chain breach. SCA scanning for vulnerable dependencies in your application does not protect you in any way, shape, or form from a similar attack. From there, threat actors were able to move laterally with ease and remained undetected for months. SolarWinds was infiltrated via a misconfigured TeamCity server. If we’ve learned anything from the SolarWinds attack, it’s that threat actors are targeting the relatively unprotected pipelines that help transform your application from lines of code into something that is built and deployed into production. And if it doesn’t provide visibility into your pipelines, how is it going to help you identify when something nefarious is happening? SCA offers no visibility into the tools and infrastructure that makes up the SDLC itself. One significant shortcoming for SCA is that it scans only application code. This means even that though you may be diligent in scanning your open source components, you’re still at risk of a software supply chain attack. Unfortunately, traditional SCA solutions provide either extremely limited or no visibility into development pipelines. To prevent attacks on your software supply chain, organizations need a complete view of their SDLC. The NTIA states, “Several recent high profile attacks in the supply chain did not target software components, but the tools and systems used to manage the software development and build process.” The National Telecommunications and Information Administration (NTIA) under the US Department of of Commerce, recently released a report titled The Minimum Elements of a Software Bill of Materials (SBOM) on behalf of the US federal government in which they acknowledged that identifying dependencies in application code is unlikely to prevent many of the software supply chain attacks we see today. In fact, many of the attacks we see on the software supply chain don’t involve application code, but rather target other parts of the SDLC. Securing vulnerable dependencies in your application code is only part of locking down your software supply chain. This includes everything from application code and developers to CI/CD pipelines and deployment environments. Software supply chains consist of every person, process, or tool that touches your application across the SDLC. Application Code Is Only a Piece of the Supply Chain Puzzle If it were the right solution to stop all software supply chain attacks, it would have done so by now. After all, SCA is a relatively widely adopted technology. If it were, we wouldn’t still be seeing a massive increase in this type of attack. It also allows you to be more transparent with your customers.īut here’s the thing: While it’s important to know what’s in the dependencies in your application code, it’s not the only thing you need visibility into to prevent software supply chain attacks. Knowing what’s in these dependencies that you didn’t build yourself and have no direct control over is part of understanding your own product. Organizations rely heavily on dependencies like open source and third-party software to develop solutions that meet the demands of today’s agile development environments. In response to this rapid increase in attacks, software composition analysis (SCA) vendors have done a deft job of positioning themselves as the answer to software supply chain security. In fact, Gartner predicts that by 2025, nearly half of all organizations will have experienced an attack on their software supply chain. We see evidence of this daily with more and more headlines proclaiming SolarWinds-style attacks. Software supply chain attacks have been on the rise over the past several years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |