A secure supply chain is a critical piece of cloud native security, and it can be tricky to get right because it covers such a broad expanse of factors from code to pipelines and beyond.
Join us on June 26 & 27 for CloudNativeSecurityCon North America 2024 in Seattle
The breadth of the supply chain also makes it vulnerable, and according to a survey from Security Magazine, 91% of organizations experienced attacks in 2023. The top three types of attacks were exploited vulnerabilities or misconfigurations, stolen secrets, and data breaches. The reverberations of a supply chain attack go far beyond the organization and include reputational damage, loss of revenue, and even legal liability. In fact, IBM’s 2023 “Cost of a Data Breach” survey found attackers cost organizations worldwide an average of $4.45 million, which is a 15% increase over the last three years.
Not surprisingly 51% of survey respondents told IBM their organizations were planning to increase spending on security.
So, no matter where your organization is on the journey to a more secure supply chain, taking extra steps is never a bad idea. Our Security Technical Advisory Group has created a series of questions teams can ask to dig deeper. The framework is divided into four areas: source code, materials, build pipelines, and artefacts and deployments.
Start by verifying the source code, asking questions including:
- Do you require signed commits?
- Do you use git hooks or automated scans to prevent committing secrets to source control?
- Have you defined an unacceptable risk level for vulnerabilities? For example: no code may be committed that includes Critical or High vulnerabilities
Next, verify materials:
- Do you verify that dependencies meet your minimum thresholds for quality and reliability?
- Do you automatically scan dependencies for security issues and license compliance?
- Do you automatically perform Software Composition Analysis on dependencies when they are downloaded/installed?
Make certain the build pipelines are protected:
- Do you use hardened, minimal containers as the foundation for your build workers?
- Do you maintain your build and test pipelines as Infrastructure-as-Code?
- Do you automate every step in your build pipeline outside of code reviews and final sign-offs?
And finally, protect artefacts and deployments:
- Is every artefact you produce (including metadata and intermediate artefacts) signed?
- Do you distribute metadata in a way that can be verified by downstream consumers of your products?
Dive into the entire framework, but don’t stop there!
Join us in Seattle for CloudNativeSecurityCon North American 2024 on June 26 and 27 to learn from and network with experts in every facet of cloud native security.