Let's Code: Delivering a Secure Software Supply Chain (Part 1)

Introduction

Welcome to IBM Expert TV’s "Let's Code" series! In this episode, aired on May 5th, 2022, we were joined by Steve Weaver and Peter Clank from our DevOps team. This episode is the first part of a two-part series focusing on the topic of delivering a secure software supply chain. Today, we will explore the security challenges in software delivery, discuss how IBM is addressing these challenges, and provide insights into the DevSecOps processes involved.

Understanding the Security Challenges

Security remains a paramount concern in software development. Addressing vulnerabilities after software has been deployed can be quite costly. Surprisingly, many enterprises do not remediate known vulnerabilities before releasing their applications. This oversight highlights a significant tension between the need for security and the desire for rapid deployment.

The historical context of this debate harkens back to the tension between quality and velocity in software production. In the past, the resolution revolved around concepts such as “shift left” testing—introducing unit tests and integrating tests earlier in the development cycle. Today, we aim to apply similar strategies to security by detecting and remediating vulnerabilities early in the software development lifecycle.

However, ensuring a secure software supply chain encompasses more than just early detection and remediation. It involves ongoing vigilance at every stage of the development process.

The Complexity of Software Supply Chains

The software supply chain is fraught with potential vulnerabilities. There are numerous touchpoints, shown in the SLSA (Supply Chain Levels for Software Artifacts) diagram, where security can be compromised. Each step—from code check-ins to code reviews, build processes, and beyond—requires rigorous scrutiny and security measures to ensure that the end product is resilient against threats.

Conclusion and Upcoming Discussions

In this episode, we have laid the groundwork for understanding the critical nature of software security and the complexities involved in securing the software supply chain. Steve will provide a demonstration of tools and example tool chains that illustrate the initial phases of establishing a secure software supply chain and implementing our DevSecOps process. In next week's episode, we will delve deeper into specific areas discussed today, equipping you with detailed strategies and tools to enhance your organization’s security posture.

Keywords

• Software Supply Chain
• Security Vulnerabilities
• DevSecOps
• Shift Left Testing
• Code Reviews
• SLSA (Supply Chain Levels for Software Artifacts)
• Remediation
• Cost of Security

FAQ

1. What is a secure software supply chain?
A secure software supply chain refers to the processes and measures taken to ensure that all components of software—from development through deployment—are protected against vulnerabilities and threats.

2. Why is addressing vulnerabilities in production expensive?
Addressing vulnerabilities in production can incur significant costs due to potential downtime, the need for emergency fixes, potential loss of customer trust, and compliance issues.

3. What does “shift left” mean in the context of software development?
"Shift left" is a strategy that emphasizes incorporating testing and quality checks earlier in the software development lifecycle to identify and remediate issues before they reach production.

4. What role does DevSecOps play in a secure software supply chain?
DevSecOps integrates security practices into the DevOps process, promoting collaboration among development, security, and operations teams to identify and address security concerns throughout the software development lifecycle.

5. What are the next steps following this episode?
In the next episode, we will explore specific tools and techniques for building a secure software supply chain and delve deeper into the DevSecOps processes introduced in this session.