Software supply chain security

Modern frameworks and approaches to software development focus on speed and reliability of software delivery, as well as shared ownership among software stakeholders.

In addition to the DevOps practice of shifting left on security, many other DevOps practices contribute to delivering more secure software. Greater stakeholder collaboration, visibility of work, reproducible builds, automated testing, incremental changes, are all practices that can support software security. In fact, the Accelerate State of DevOps Report 2022 found that higher-trust cultures are more likely to adopt practices to strengthen the software supply chain, and use of CI/CD helps with implementing security practices.

However, modern development frameworks lack guidance that helps organizations understand threats to their software, assess their ability to detect and respond to threats, and implement mitigations. They also tend to focus specifically on the code and processes within an organization and neglect external factors that can impact the integrity of applications. For example, an attack that compromises an open source software package impacts any code that directly or indirectly relies on that package. Software supply chain attacks like these have increased sharply since 2020.

Software supply chains

A software supply chain consists of all the code, people, systems, and processes that contribute to development and delivery of your software, both inside and outside of your organization. It includes:

  • Code you create, its dependencies, and the internal and external software you use to develop, build, package, install, and run your software.
  • Processes and policies for system access, testing, review, monitoring and feedback, communication, and approval.
  • Systems you trust to develop, build, store, and run your software and its dependencies.

Given the broad reach and complexity of the software supply chain, there are numerous ways to introduce unauthorized changes to the software that you deliver to your users. These attack vectors span across the software lifecycle. While some attacks are targeted, such as the attack on the SolarWinds build system, other threats are indirect or enter the supply chain through weaknesses in process or neglect.

For example, in a blog post about the remote execution vulnerability in Apache log4j from December 2021, the Google Open Source Insights team noted that there were over 17,000 affected packages in Maven Central. Most of the affected packages did not depend directly on the vulnerable log4j-core package, but had dependencies that required it.

Process gaps such as lack of code review or security criteria for deployment to production can allow bad code to unintentionally enter the supply chain. Similarly, bad code can get into your software if you build with source code outside of your trusted version control system, or package and deploy applications from systems outside of your trusted build system and artifact repositories.

According to the 2021 State of the Software Supply Chain, both use of open source software and attacks on software supply chains grew sharply between 2020 and 2021:

  • There was a 650% year-over-year increase in software supply chain attacks in 2021.
  • Availability and demand for open source packages continues to grow, with a 73% year-over-year increase in open source component downloads in 2021.
  • Vulnerabilities are most common in the most popular open source projects.

To protect the integrity of your software, it's important to understand your security posture: how prepared your organization is to detect, respond to, and remediate threats.

Compliance requirements and assessment frameworks

Increased concern about supply chain security has led to creation of new government regulations specific to supply chain security such as:

New frameworks are emerging to help organizations assess their security posture and learn about mitigations for threats.

These frameworks take established software security practices and structure them in a format that helps you to identify security threats you need to address and what actions to take to mitigate threats.

Protect your software supply chain on Google Cloud

Software Delivery Shield provides a fully-managed, software supply chain security solution on Google Cloud. It incorporates best practices, including practices in frameworks such as SLSA and NIST SSDF. You adopt the components of the solution gradually, based on your priorities and needs.

What's next