In the realm of IT, organizations often face a tradeoff between rapidly shipping new features and paying off technical debt. Technical debt encompasses a range of factors, including reliability, performance, testing, and security. In today’s “ship fast and break things” era, organizations willingly accumulate security debt as they prioritize the development of new features over addressing security concerns. However, it is crucial for Chief Information Security Officers (CISOs) to recognize the moments when security debts must be prioritized and addressed.
The recent Log4j exploit sent shockwaves through the cybersecurity community, particularly for CISOs, as it shed light on a massive accumulating security debt that had gone unnoticed. The exploit exposed a significant gap between open-source projects and the wider ecosystems of creators, maintainers, package managers, and organizations utilizing these projects. This gap presented an avenue for attackers to exploit vulnerabilities and gain unauthorized access to systems. Consequently, CISOs need to formulate a cohesive plan to address the security debt within the software supply chain.
One particularly vulnerable aspect of the software supply chain lies in the lack of trust mechanisms and secure chains of custody within developer build systems. Although companies have improved their network security measures, a whole class of exploits persists due to the absence of a verification mechanism for software artifacts utilized in application development. While individuals have learned not to connect untrusted thumb drives to their computers due to inherent security risks, developers have been downloading open-source packages without any means of ensuring their safety.
Malicious actors capitalize on this vulnerability as an opportune attack vector. By gaining access through these insecure artifacts, they can pivot to other systems dependent on these artifacts and infiltrate further. Therefore, it is crucial for CISOs to focus on securing build systems to mitigate this risk. CISOs are encouraged to adopt frameworks such as the NIST Secure Software Development Framework (SSDF) and OpenSSF’s Supply Chain Levels for Software Artifacts (SLSA) to establish a strong foundation for a secure software supply chain.
Additionally, CISOs must consider policies surrounding the acquisition of open-source software by developer teams. It is essential to ensure that developers are aware of their company’s security policies and have a means of verifying the integrity of the open-source software they acquire. By implementing robust build system security measures and establishing repeatable methods to verify software artifact provenance, CISOs can prevent their organizations from digging deeper into security debt.
Addressing old software supply chain security debt requires a collaborative effort between CISOs and development teams. Updating software and patching vulnerabilities, including those found in base image versions, can be tedious and time-consuming. Nonetheless, it is a necessary task in paying off security debt. CISOs and development teams can collaborate to implement secure and productive tooling and processes, subsequently establishing a software supply chain that is inherently secure.
Updating container base images can be challenging for some software teams. Base images serve as the foundation for container-based software applications, and updating them to newer versions can lead to potential compatibility issues and disrupt application functionality. However, neglecting this update process exposes software applications to an accumulation of vulnerabilities. To manage this issue, software teams should frequently update images with smaller changes and employ techniques like canary releases to test changes in a production environment. Additionally, utilizing hardened and minimal container base images, along with critical software supply chain security metadata such as Software Bills of Materials (SBOMs), provenance, and digital signatures, can simplify the process of vulnerability management in base images.
It is crucial for organizations to address security debt proactively rather than postponing it for an indefinite “someday.” Failing to do so often leads to security surprises during critical periods when vulnerabilities are most likely to be exploited. The Log4j vulnerability, for example, emerged just before the busy holiday e-commerce season, leaving numerous engineering and security teams crippled for an extended period. CISOs should invest in more secure build systems, implement software signing methods to verify software provenance, and utilize hardened and minimal container base images to reduce the attack surface of software and applications.
While resolving software supply chain security debt may seem daunting, CISOs face the dilemma of deciding how much debt they are willing to accumulate before reaching an acceptable level of vulnerability. Balancing the ongoing efforts of developers to continuously update base images and address software vulnerabilities with the need for timely delivery of new features poses an ongoing challenge for CISOs.
In conclusion, addressing software supply chain security debt is crucial for organizations seeking to enhance their overall security posture. By prioritizing secure build systems, implementing robust verification processes, and proactively managing vulnerabilities, organizations can significantly reduce their exposure to potential exploits. CISOs play a pivotal role in recognizing the need to pay off security debts and collaborating with development teams to establish secure software supply chains.