How to Understand the Software Supply Chain

Introduction

Welcome to the exploration of the software supply chain and the security risks associated with it. As software development evolves, we have transitioned from creating monolithic applications—single, unified pieces of software—to embracing a microservices or cloud-native approach. This shift allows for smaller, more frequent deployments but also introduces greater complexity and security vulnerabilities.

The Conceptual View of the Software Supply Chain

To better understand the software supply chain, we can draw an analogy from car manufacturing. A car starts as a bare chassis and goes through a complex assembly line where up to 10,000 parts from approximately 2,600 different suppliers are added before it is delivered to customers. Similarly, the software supply chain consists of multiple components.

At the core of this supply chain is the developer’s machine, which is used to push source code to a repository like Azure Repos. However, this discussion could easily interchange Azure components with others like GitHub or GitLab.

Once the source code changes, the build server (Azure Pipelines) picks them up and triggers a build that may include running tests. The outcome often results in a Docker image pushed to the Azure Container Registry and a subsequent deployment via Azure Kubernetes Service. This illustrates how a piece of software moves from development to production.

It's important to note that using a development laptop involves trusting both the hardware vendor and the firmware. This dependency extends to the communication between package managers over a TLS-secured channel, which can also face its own issues.

Security Risks in Software Development

In May 2020, the GitHub Security team revealed that the NetBeans IDE had fallen victim to malware, showing that sophisticated and targeted attacks can occur at the development tool level. Developers who frequently use popular tools like Visual Studio Code need to be vigilant as these tools can be attractive targets for attackers due to their widespread use.

Visual Studio Code is built on the Electron framework, which includes 82 dependencies maintained by over 100 contributors. This interconnectedness means that any vulnerability or malicious intent from a single contributor can have a far-reaching impact.

Another significant illustration of potential supply chain risk arose in November 2018 with an npm package called Event Stream, which was compromised. This package saw over two million downloads weekly and was a transitive dependency for approximately 2,000 other packages. This demonstrates that if a third-party library’s supply chain is compromised, your own software may also be at risk.

Having discussed code development, let’s turn to the implications of committing code to a source repository. This action typically involves credentials that can be vulnerable to theft. For example, Canonical’s GitHub account was compromised in July 2019, allowing unauthorized changes to its repositories. A similar incident occurred in May 2020 when Microsoft’s GitHub account was breached, resulting in the theft of 500 gigabytes of private repositories.

To mitigate these risks, employing multi-factor authentication (MFA) and Git commit signing can add layers of security. MFA requires a token or one-time password (OTP) alongside a username and password, while commit signing uses a public-private key pair to verify the identity of the developer making the source code changes.

As discussed, these issues persist through to the build servers and cloud infrastructure. Problems can arise if build servers or cloud environments are compromised, as seen in the Webmin incident in 2019. This shows that backdoors can be introduced over long periods, potentially affecting software integrity.

Conclusion

In summary, understanding the software supply chain involves recognizing the various components, their interdependencies, and the security risks that can arise at each point. In the subsequent articles of this series, we will delve deeper into how to secure the software supply chain significantly.

Keywords

• Software Supply Chain
• Security Risks
• Microservices
• Azure Repos
• Visual Studio Code
• Dependency Vulnerability
• Multi-Factor Authentication
• Git Commit Signing
• Malware

FAQ

Q1: What is the software supply chain?
A1: The software supply chain encompasses all the components and processes involved in software development, from coding to deployment.

Q2: Why is the software supply chain important?
A2: Understanding the software supply chain is crucial for identifying potential security vulnerabilities that could lead to compromises in software integrity.

Q3: What are some common security risks in the software supply chain?
A3: Common risks include compromised development tools, vulnerabilities in third-party libraries, and unauthorized access to source code repositories.

Q4: How can I secure my software supply chain?
A4: Measures include utilizing multi-factor authentication, signing commits with public-private key pairs, and regularly auditing dependencies for vulnerabilities.

Q5: What should I be cautious about when using third-party libraries?
A5: Be aware that using third-party libraries implicitly trusts their supply chains, and any compromise could impact your own software. Always verify the integrity and security of dependencies.