AcademyManaging Supply Chain Risks in CI/CD Pipelines

Managing Supply Chain Risks in CI/CD Pipelines

Software dependency security risks are an important consideration for modern applications and services, many of which use open-source components. Any software product using open-source components is reliant on third-parties to build software free of weaknesses or malware. The open-source community relies on its own trust model, with its users building external libraries into their source code and being responsible for their integrity and security.

Wiz Experts Team

Many open-source developers lack the resources to properly verify their code, and the associated risks are inherited by any user of that code. There have been several well-publicized instances of malicious actors pushing modified code into common libraries, in the hope that those libraries will be adopted by projects with weak controls. Organizations must be responsive to these types of attack and ensure robust dependency management.

What SolarWinds taught us

The SolarWinds hack is the best-known example of a supply chain breach. A group of hackers, identified as Nobelium, inserted malicious code into the SolarWinds Orion system, creating a backdoor the hackers could use to impersonate privileged accounts inside the organizations using the Orion product. This also permitted access to system files and other digital assets and proved difficult to detect because the traffic generated appeared as legitimate SolarWinds activity.

SolarWinds was an attractive target for supply chain attacks because their customers include large global companies and government agencies, and the nature of the software requires privileged accounts and broad access. A single compromise of code could, and did, result in breaches of countless systems belonging to thousands of customers. And SolarWinds customers were not the only ones affected. Once the compromise exposed Orion users, the same backdoor could be used to access the networks and data of downstream customers and partner organizations, allowing the blast radius to expand exponentially.

This breach demonstrates the risks of poor CI/CD security. Malicious actors gained access to the SolarWinds development environment and inserted malicious code into an update. That malicious code was accepted, digitally signed by the company and pushed out to customers. This breach shines a light on the advantages of shift left security practices and the importance of securing the software supply chain.

Supply Chain Risks in Development Environments

A supply chain attack happens when a threat actor compromises a software product before that product is distributed to customers. That compromised software then compromises customer systems, allowing access to systems, data, and other digital assets. The vulnerabilities may take several forms:

  • Malicious code added by an attacker may compromise a software product from the outset, or via an update. Malicious code exploits common system vulnerabilities, and may take the form of a virus, backdoor, worm, trojan, or script. Malicious code may be introduced via compromise of developer IDE by email attachments, browser plugins, suspicious links and other active content and other sources. Once introduced, malicious code may access data, compromise systems, create nuisance, or hold digital assets to ransom.

  • Use of insecure/malicious dependencies can result in vulnerabilities being introduced via open-source code. A threat actor inserts malicious code into code available on third-party repositories, which unsuspecting developers then add to their own code to perform specific functions. The malicious code typically contains the original function, plus the introduced exploit. The code behaving superficially as the developer expects reduces the likelihood of the malicious code being detected. Developers of proprietary code can also be impacted by open-source code compromises, because developers routinely leverage blocks of open-source code in their products to save time and effort.

  • Vulnerabilities introduced by poor coding practices include privacy violations, insecure storage, insecure transport, insecure deployment, poor logging, and exposed secrets. The majority of vulnerabilities introduced by poor development practices stem from a small number of common programming errors resulting in flaws in logic, bugs, and defects. Despite knowing they exist, these same errors persist, and it is time that software development became secure software development. Properly implemented security throughout the lifecycle can minimize the frequency and impact of such vulnerabilities.

The potential for threats to emerge at any stage in the software development lifecycle makes the ability to detect and mitigate vulnerabilities essential to successful and secure application development that safeguards the organization, and its customers.

Managing Supply Chain Security Threats

Keeping your application development secure means performing vulnerability scanning throughout development and the application lifecycle, from the developer’s workstation, through the CI/CD deployment mechanisms, through to production workloads and finished software products.

Provide developers with the tools they need with Wiz. Give developers visibility of their applications and supporting infrastructure with pre-built integrations and customizable automation to route issues to the right remediation team. Single-policy framework integration extends to the CI/CD pipeline to prevent vulnerabilities in development becoming issues in deployment.

Wiz provides deep analysis to detect sophisticated and hidden risks quickly, as well as discovering complex chains of exposure and lateral movements in attack paths to protect digital assets. Scan at runtime to identify vulnerable and non-compliant artifacts, whether active or not.

Continuous monitoring for vulnerabilities, exposed secrets, and malware as well as enforcement of secure configurations mitigates threats to the software development lifecycle. Using a comprehensive engine that integrates Cloud Infrastructure Entitlement Management (CIEM), Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWPP), Infrastructure-as-Code (IaC) scanning, and Kubernetes Security Posture Management (KSPM), means comprehensive scanning, detection, analysis and mitigation. With an agentless configuration that means no impact to performance or velocity.

Continue Reading

Why Cloud-Native Applications Need Cloud-Native Protection

As the adoption of cloud-based services continues with no sign of slowing down, organizations are finding that the deployment of cloud infrastructure creates unique security challenges.

Container security: best practices for vulnerability management

Containerization has become popular with organizations worldwide thanks to the simplicity of the approach, as well as its development efficiencies and quick deployment times. While the development community embraces containerization to help them get solutions to market more quickly, security teams are concerned with the integrity of the deployment mechanism, and the overall risk profile.

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?

What is SOC 2 compliance?

Whether you offer Software-as-a-Service (SaaS) apps to customers, use SaaS apps yourself, or both, you need to be familiar with SOC 2 compliance. SOC 2 compliance rules provide a foundation for ensuring that sensitive data is managed in a secure way within the context of SaaS and other cloud-based services.

What is Cloud Security Posture Management (CSPM)?

In modern cloud environments, security monitoring and periodic audits won’t suffice for detecting threats before they turn into breaches. Instead, to achieve an environment that is as secure as possible, you need Cloud Security Posture Management, or CSPM. CSPM lays the foundation for minimizing the number of risks that exist within your clouds. CSPM tools help to automate cloud security, keeping cloud environments secure even as they grow larger and more complex.