Securing the Software Supply Chain: Starting With the Basics

Whether you are here because of the recent cybersecurity executive order in the U.S., the Solarwinds or Kaseya attacks, or because your organization is asking for more information about secure software supply chains, I can say you’re in the right place. Here at CloudBees, we believe that understanding and securing your software supply chain will become even more critical to an organization’s security posture. In fact, it will be so important that we are starting and investing in a blog and video series to explain concepts and share best practices. In this first blog post, we will define the software supply chain and talk about some trends we have seen over the years. 

The software supply chain is often compared to traditional supply chains—and for good reason. Traditional supply chains have similar stages from concept to consumer.

It all starts with an idea. Let’s use a children’s toy as an example. Materials are sourced to create a prototype which is then researched and tested in user groups. Once the prototype is finalized, scaled manufacturing efforts begin. These production environments range from a single person working manually out of their garage to multiple teams operating out of large warehouses where automated assembly lines accelerate production and store inventory of finished products. Those products are then shipped out to suppliers where they can be accessed by consumers, using packaging sourced from a third-party supplier and shipped by a postal carrier. 

Managing traditional supply chains relies on a series of synchronized decisions and activities that integrate the various channels—ensuring that the right products are distributed to the right locations in the right quantities and at the right times. If any interruptions or issues arise throughout this course of events, it could result in delayed distribution (or even a recall if one of the raw materials is found to be a safety hazard).

Hopefully, you are already drawing some parallels to how software supply chains might mirror the stages in a traditional supply chain. 

Software also starts with an idea. Developers and engineers pull together the various building blocks of software—source code, binaries, libraries, packages, any component that the software needs to function. CI/CD pipelines orchestrate and manage the delivery of software. Various developer tools are integrated within these pipelines to automate builds, testing, artifact management, infrastructure provisioning, and deployment to staged environments. Once in production, the software can be released to end users. 

While that may seem straightforward, how well do you really know your software’s code and dependencies? And not just the custom code that was written by internal developers and engineers, but the code behind all those libraries, packages, plugins, and images that your software is built upon and relies on to run. The pursuit of rapid innovation and continuous improvement has contributed to the increased usage of open source and third-party software. Research has shown that the average GitHub repository contains 203 open source dependencies, and 62 percent of an enterprise application is sourced from developers outside of your organization. Software supply chain attacks happen when vulnerabilities in open source and third-party software code are exploited and enable the downstream distribution of malicious code. 

When these attacks happen, you need to know if your software has been impacted and to what extent. Having visibility into your software supply chain is necessary to answer these questions accurately. Experts say that creating a Software Bill of Materials (SBOM) can enable that transparency between software creators and software users. SBOMs are machine-readable inventories of software components and dependencies, information about those components, and their hierarchical relationships. Data formats such as SPDX, CycloneDX, and software identification (SWID) tags can be used to automate the creation and consumption of SBOMs. The Linux Foundation has a free course you can take to learn more about SBOMs. 

In the next blog post in this series, I will dive into past software supply chain attack timelines and methods. Future posts will discuss common methodologies that your organization can take to mitigate these security risks—and how CloudBees capabilities can enable you to do so.

• Read the blog: Software Supply Chain Attacks: Who Owns the Risk and What Can Be Done?