What is the Software Supply Chain | AppSec 101

Introduction

Introduction

Hello everyone and welcome to another episode of AppSec 101. My name is Andrew Garrett and I am pleased to be joined today by Diogo Rispoli. Diogo is the Fortify Chief Architect for North America. It’s nice to have you on again, Diogo.

"Thank you so much for inviting me, Andrew. It's always a pleasure to talk about topics in AppSec."

Understanding the Software Supply Chain

To set the stage, Diogo, could you give our viewers a brief explanation of what is the software supply chain?

"Of course, Andrew. The software supply chain consists of pieces of software, often third-party, that developers integrate into their software development process. These components help expedite development, making life easier by reusing code built by others, such as non-profit organizations, companies, or individual contributors."

So, essentially, it makes developing software easier by using existing components rather than building everything from the ground up?

"Exactly. It also speeds up the process, allowing for quicker releases."

Security Implications of the Software Supply Chain

What are some aspects that may affect the security or integrity of the software supply chain?

"Several factors can affect security. Some open-source projects have multiple contributors, which means issues can be introduced. Organizations or individuals might lack the skills, knowledge, or time to fully investigate all security concerns. Consequently, vulnerabilities might slip through. Moreover, malicious entities might exploit these collaborative environments to introduce harmful code."

I recently saw a statistic stating that up to 98% of applications contain open-source components. When you hear that statistic, what does it imply?

"It means that open-source software is widely used, which is a good thing because of its collaborative nature. However, it also implies that we are heavily relying on these components and assuming they are secure, which is not always true."

Mitigating Risks in the Software Supply Chain

Given the widespread use of open source, developers have to stay vigilant. But what are some proactive steps developers can take to mitigate risks?

"Developers can automate checks for known vulnerabilities during the build and deployment process. Tools like GitHub Actions can trigger free analyses on projects to identify issues. The key is to incorporate these automated checks into your development pipeline, preventing vulnerable libraries from reaching production."

What are some other best practices developers should follow?

"Trust but verify. Continuously perform checks using automated tools. Maintain internal repositories of verified libraries and stay updated with vulnerability databases like CVE. Organizations should also develop policies to regularly reevaluate these components."

Fortify Solutions for Software Supply Chain Security

Could you discuss some of the tools Fortify offers to help with software composition analysis and open-source security?

"Certainly. Fortify has a strategic partnership with Sonatype and recently acquired Debricked. These tools help automate checks and integrate seamlessly into your build pipeline. Fortify Secure Center or the Fortify Dashboard provides a unified view of your security findings, presenting a single pane of glass for all your security needs. This includes integrations that bring security insights directly into developers' IDEs."

Conclusion

In closing, Diogo, thank you for sharing your expertise today.

"Thank you for having me, Andrew. It’s always a pleasure."

To our viewers, don't forget to subscribe to Fortify Unplugged for the latest updates in AppSec and Fortify-related content.

Keywords

• Software Supply Chain
• Open Source Software
• Software Security
• Vulnerability Management
• Fortify Tools
• Debricked
• Sonatype
• Automated Checks
• GitHub Actions

FAQ

Q: What is the software supply chain?
A: The software supply chain comprises third-party software components that developers integrate into their projects to expedite development.

Q: Why is security in the software supply chain important?
A: Open-source projects can introduce vulnerabilities either due to oversight or malicious intent, making it crucial to ensure their security.

Q: What are some proactive steps to secure the software supply chain?
A: Implementing automated security checks in the development pipeline and continuously verifying the integrity of open-source components are key steps.

Q: What tools does Fortify offer for software supply chain security?
A: Fortify offers tools like Sonatype and Debricked which help automate vulnerability checks and integrations from the Fortify Dashboard for a consolidated view of security findings.