The innovation of DevOps toolchains has delivered increased efficiency for engineering teams. At the same time, these innovations have also increased security risk as shown by the rise of attacks on the software supply chain. To counter this risk and secure software supply chains, organizations need strong SDLC governance across the entire software delivery pipeline.
Having a strong SDLC governance program is like building a house on a strong foundation. Your walls won’t crack, your roof will have the right pitch, and you don’t have to worry about leaks. Implementing strong governance should be the foundation of not only your software supply chain security program, but your entire AppSec program. When your organization has a solid foundation of governance, all your other security initiatives simply work better.
Characteristics of Strong SDLC Governance
When adopting a strong governance program, organizations should keep in mind several fundamental requirements:
- Visibility – Security can’t protect what it can’t see. Engineering teams typically purchase tools that help them develop applications efficiently. These tools are implemented and run by engineering, usually without the involvement of security. The first step for any governance program is for security to gain visibility into the tools, people, and processes that make up their SDLC.
- Least privilege policies – Enforcing least privilege is one of the most important security measures you can take. It dramatically reduces the risk across your entire organization. Developers are overprovisioned. Compromising one account can lead to lateral movement across your SDLC. By enforcing least privilege, you reduce your attack surface.
- Authentication – Multi-factor authentication and single sign-on verify that users are who they claim to be. When developer accounts are harder to access, it’s harder to infiltrate the SDLC. A recent Microsoft study showed that your account is more than 99.9% less likely to be compromised if you use multi-factor authentication.
- Branch protection and build rules – Implementing branch protection rules and build rules, then monitoring them so they aren’t turned off is essential. This includes peer reviews, no forced pushes, commit signing, unit testing, and scans for SAST, SCA, IaC, and hardcoded secrets.
- Monitoring change controls – Once you’ve tuned your environment for security, you want to make sure that it stays secure. You can’t just set your environment on day one and walk away. Changes to security controls are intentional and controlled. They don’t just change on the fly. You need to be alerted when your environment changes as this may be a sign of code tampering or a breach.
This is by no means an exhaustive list, but it is a great starting point for locking down your software supply chain.
SDLC Governance Improves Other Security Initiatives
One of the great benefits of adopting a solid foundation of SDLC governance is that it improves all of your other security initiatives. From code leakage and code tampering to scanning for hardcoded secrets and Infrastructure as Code (IaC) misconfigurations, the policies you set in place for governance also advance other security initiatives.
Source code is the foundation of a software company’s intellectual property. If it leaks, not only is IP at risk, but attackers can use source code to identify vulnerable routes and libraries to further exploit an application. Furthermore, leaked code often contains sensitive user data or hardcoded secrets, both of which have devastating consequences when exposed. So how does strong governance help with code leaks?
Strong governance prevents leaks in several ways:
- Least privilege policies – Reducing developers’ access to repositories limits the amount of code that could be leaked by a compromised insider, such as a developer whose credentials have been stolen, or by a malicious insider seeking to damage the organization.
- Hardening authentication – The likelihood that an attacker can infiltrate an account to access and leak your code is reduced by multi-factor authentication.
- Detecting anomalous or suspicious user activity – Malicious actors are identified quickly, before they are able to leak code.
When source code is tampered with, it not only impacts your IP – and potentially your revenue – but it also can be weaponized against your downstream customers, as was the case with the SolarWinds attack. Certainly, no one wants to make headlines as the next supply chain attack. So how does effective governance help prevent code tampering?
Strong governance builds a foundation of trust in several ways:
- Least privilege policies – Confirms that the developer committing code has permission to access specific repositories. A developer committing code to a repository that they don’t have write access to is a red flag.
- Hardening authentication – Verifies that users are who they claim to be
- Branch protection and build rules – Checks that inadvertent mistakes haven’t been introduced that might expose your code.
- Security control monitoring – Identifies unsanctioned changes to your security controls that might indicate code tampering. For example, if a branch protection rule has been disabled, that might be a sign that something abnormal is going on.
The insecure development practice of hard coding secrets in source code has become increasingly common as more applications leverage dependencies that need to authenticate services. When exposed, embedded credentials such as usernames, passwords, tokens, API keys, or other secrets in code give attackers unauthorized access to valuable applications. Once an attacker has a foothold in a system, it is easy for them to move laterally across your software development pipeline, shifting left into source code or right into production environments and even targeting customers further downstream by tampering with code.
Implementing a solid foundation of governance helps reduce the risk of hardcoded secrets in a number of ways:
- Least privilege policies – Shrinking access to code that might contain hardcoded secrets lessens the risk that it could be exploited by a malicious or compromised insider.
- Hardening authentication – When accounts are harder to compromise, organizations reduce the risk of secrets exposure from a developer who has been compromised.
- Branch protection rules – Peer reviews and other security measures that comprise branch protection rules identify and remediate hardcoded secrets before they are merged into the main codebase.
The danger of IaC misconfigurations is that any issue or vulnerability built into your infrastructure is propagated at the push of a button. Automating holes into the build process makes it easy for hackers to exploit your application when it’s in production. Governance helps prevent this in a number of ways:
- Hardening authentication – The risk of compromised insiders accessing IaC templates is significantly reduced when multi-factor authentication is in place.
- Separation of duties – Very rarely does a developer who writes feature code also write IaC code. Limiting access to IaC repos to only those who write it reduces your exposure.
- Least privilege policies – Similar to separation of duties, least privilege policies reduce access to IaC code and lessens the possibility that it could be tampered with or exposed.
Security Is Better Together
SDLC governance is a lot about building a strong foundation to close the security gaps in your DevOps tools and infrastructure. Once you get the basics in place, you can then move on to more advanced features and capabilities that address specific use cases to fully lock down your software supply chain.
Don’t be fooled into thinking that getting the basics right is a simple task. Modern development ecosystems are extremely complex. Implementing the basics is more than setting a policy then forgetting about it. What was once secure quickly becomes insecure. A strong foundation of governance requires continuously auditing the basics, such as auditing for excess privileges. If you’re constantly locking down user accounts, for example, you’ll reduce your risk whether from a rogue employee or a compromised insider. To do governance right requires an automated solution that can handle the diversity of modern DevOps toolchains.
The truth, however, remains: Once you get the foundation right, all your other security initiatives benefit greatly.
Want to learn more about how Cycode can help you implement a strong SDLC governance program to protect your entire supply chain? Visit us at cycode.com.