Wiz
Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

All articles

Software Supply Chain Security Best Practices

In this blog post, we’ll take a deep dive into software supply chains and discuss effective strategies for reducing security risks.

Wiz Experts Team
9 min read

Software supply chains include the processes, tools, and contributors involved in developing applications from conception to production. Each year, software supply chains become increasingly complex as the components that make up the software development life cycle evolve. And as businesses migrate to the cloud and rely more on third-party components, managing and securing the software supply chain becomes even more challenging. 

Each stage of this chain presents specific security threats that pose risks to both applications and businesses. That’s why it’s critical to understand software supply chains and learn how to take proactive measures to secure them. In this blog post, we’ll take a deep dive into software supply chains and discuss effective strategies for reducing security risks. Let’s get started.

wiz blog

How to Protect Your Cloud Environment from Supply Chain Attacks

Learn how to protect your cloud environment from supply chain attacks.

Read more

The components of a software supply chain

As we’ve mentioned, the supply chain is complex and involves myriad components, with each component introducing distinct security challenges. Here are the building blocks of any software supply chain and their associated risks:

  1. Source code: The bedrock of any software, source code is the original code written by developers. It can be either proprietary or open source. A key security concern here is the risk of malicious code injection, which can happen directly to your code or through attacks on open-source projects.

  2. Build tools: These are the utilities used to build code files and compile them. If build tools are compromised, malicious code can be inserted into your software without your knowledge. That’s why ensuring the integrity and security of build tools is a crucial means of protecting your software. 

  3. Software delivery tools: These are tools that help to build, test, and deploy software. Security risks here stem from unauthorized access or misconfigurations, which could lead to the introduction of vulnerabilities or malware in the software. To combat risks, it’s vital to secure these pipelines and maintain stringent access controls.

  4. People: Everyone involved in the software's life cycle can introduce risks, including developers, DevOps engineers, and security engineers. In fact, people on your teams often pose a significant risk through errors, a lack of security awareness, or even malicious intent. Ensuring proper training and adherence to security practices is essential to safeguard the supply chain from this angle.

  5. Processes: These are procedures and practices your organization uses to manage the software supply chain. It's a broad category, encompassing everything from risk management and cybersecurity principles to the practices for evaluating and securing third-party software components. Effective processes are crucial for identifying and mitigating risks across the supply chain.

Each component plays a vital role in your software supply chain, and each presents unique security challenges. Addressing risks requires a comprehensive approach, combining robust security practices, vigilant monitoring, and continuous improvement to adapt to evolving threats and technologies.

wiz blog

Secret-based cloud supply-chain attacks: Case study and lessons for security teams

CI/CD pipelines, as an essential part of the software development process, are an attractive target to malicious actors. Based on our research of cloud environments, we share common misconfigurations and provide tips on how to remediate them in order to prevent supply-chain attacks.

Read more

Common vulnerabilities and threats in the supply chain

Securing the software supply chain is essential for providing products that are safe for end users. The first step is to understand common security issues and potential risks. Keep reading to learn about five key problems to look for.

1. Configuration errors

Misconfigurations can make your cloud resources insecure or cause your containers to run with excessive privileges, ultimately exposing applications to security threats. Traditional monitoring tools may not be sufficient for such dynamic environments, necessitating more specialized approaches to ensure security and prevent incidents.

Configuration errors in containerized applications often arise from insecure container images or misconfigurations in orchestration settings and network controls. Due to the dynamic and transient characteristics of container environments, detecting and managing these errors becomes more complex. 

2. Dependency confusion attacks

Dependency confusion attacks exploit software dependency management systems by mimicking legitimate packages. Attackers create counterfeit packages that mirror the names of private or internal dependencies used in software projects. These malicious packages are then uploaded to public repositories, where they can be mistakenly incorporated into software projects during the build process. Dependency confusion attacks take advantage of the trust placed in dependency management systems and can lead to the inadvertent introduction of malicious code into software applications. 

Such attacks highlight the need for rigorous validation of software dependencies and heightened awareness of this emerging threat vector. 

3. Compromised code development and management tools

Compromised development and management tools present a significant threat to software supply chains. Attackers may target essential components such as code repositories, build servers, and integrated development environments (IDEs) to inject malicious code. This strategy causes developers and/or users to distribute compromised software without knowing it.

The diverse and interconnected nature of CI/CD pipelines, coupled with the fast pace of development, can sometimes lead to security oversights, making it challenging to detect and prevent such compromises.

wiz academy

CI/CD Pipeline Security Best Practices

Continuous integration and continuous delivery (CI/CD) have become the backbone of modern software development, enabling rapid, reliable, and consistent delivery of software products. To bolster your CI/CD pipeline, ensuring resilience against ever-evolving threats, follow the best practices in this guide.

Read more

4. Insecure data transmission and lack of encryption

Inadequate encryption practices can expose sensitive information to unauthorized users. This vulnerability is particularly concerning in cloud environments, and as a result, cloud vendors typically offer advanced encryption tools to protect your data both at rest and in transit. 

However, effectively implementing these encryption mechanisms requires a comprehensive understanding of their appropriate usage. Ensuring data security in the cloud involves managing access controls, maintaining the visibility of resources, and applying additional encryption to safeguard data integrity and confidentiality​.

5. Third-party risks

Third-party risks in the software supply chain arise from dependencies on external vendors and service providers. These risks can manifest in various forms, including vulnerabilities in third-party software or inadequate security practices. 

The use of software-as-a-service (SaaS) CI/CD tools, such as GitLab and CircleCI, introduces additional supply chain security concerns because dependence on these third-party tools can expose organizations to risks if the tools are compromised or contain vulnerabilities. 

In container environments, using unverified container images from public registries can lead to supply chain attacks, underscoring the need for vigilant vetting of third-party components and services.

CI/CD Supply Chain Attack

Hosted by experts Eden Naftali and Amitai Cohen, the Crying Out Cloud podcast provides in-depth coverage of the most important vulnerabilities and incidents from the previous month. Tune in for insightful analysis and expert recommendations to help you safeguard your cloud infrastructure.

Listen now

The consequences of an unsecured software supply chain

As we’ve seen, software supply chain weaknesses can be exploited with severe consequences. These security threats can cause harm to your business and applications in the form of financial losses, reputational damage, and operational disruptions.

Below are just a few real-life examples of companies that faced the consequences of an insecure software supply chain:

  1. Code Spaces: A provider of source code repository hosting and project management services, Code Spaces faced a devastating attack when an intruder gained unauthorized access to its Amazon EC2 control panel. This breach resulted in the loss of data and customer repositories that the company couldn’t recover. The severity of the attack was staggering: Code Spaces ceased operations, highlighting the catastrophic impact that a security breach can have on a business.

  2. DigiNotar: A Dutch certificate authority, DigiNotar suffered a breach in 2011 where an attacker issued hundreds of fraudulent digital certificates for major websites, including Google. This breach compromised the integrity of internet security on a large scale and led to DigiNotar's bankruptcy. The incident underlines the critical nature of security for services that underpin the trust model of the internet.

  3. Gawker Media: While the downfall of Gawker Media cannot be solely attributed to its 2010 security breach, the incident significantly contributed to its challenges. The breach led to the exposure of confidential data, including passwords and users’ personal information. This incident damaged Gawker's reputation and trust among its user base, illustrating how security breaches can exacerbate existing business challenges and contribute to a company's decline.

wiz blog

Streamline Software Bill of Materials (SBOM) Generation with Wiz's Agentless SBOM

Enhance software security and supply chain risk management with Wiz's agentless scanning technology for effortless SBOM creation

Read more

Best practices for securing the supply chain

Now that we’ve seen the consequences of security threats and vulnerabilities, let's delve into best practices that mitigate risks in the following areas:

  1. Secure your containers

  2. Secure the CI/CD pipeline

  3. Cloud vendor security

  4. Additional recommendations

Secure your containers

Without proper container security measures, there’s a higher risk of vulnerabilities, malware, and unauthorized access, which can lead to compromised software, data breaches, and a loss of customer trust. By prioritizing container security, you can protect your software and reputation. Here’s how:

  1. Manage secrets securely: Using a secrets manager such as AWS Secrets Manager is always recommended. Storing credentials and other sensitive data directly in the code or config files is extremely risky.

  2. Secure the container runtime and Kubernetes environment: Create isolated virtual networks for containers, use TLS for service communication, and employ tools like the Docker Image policy plugin to control image pulling. In Kubernetes, enforce TLS, use network policies, and integrate clusters with secrets management systems.

  3. Use thin, short-lived containers: Keep containers lightweight and ephemeral, minimizing components to reduce the attack surface. Regularly update images to address vulnerabilities.

  4. Employ container security tools: Use tools like Wiz for vulnerability scanning, configuration checking, and real-time threat detection and response. 

  5. Prioritize patch management and configuration fixes: Regularly update and patch container runtime tools, applications within containers, and host systems. Continuously check and fix configuration settings to maintain a secure environment.

wiz academy

What is Container Security?

Container security is the process of securing the container pipeline, the content running inside the containers, and the infrastructure on which the containers run.

Read more

A secure CI/CD process

Securing your CI/CD pipelines is crucial due to the threats posed by compromised code development and management tools. Attackers can target critical components (such as code repositories and build servers) to inject malicious code. The complexity of CI/CD environments and the fast pace of development can make it challenging to detect and prevent such compromises. But there are ways to implement robust security measures to protect the integrity and security of your software supply chain:

  1. Automate security scans: Integrate tools like SonarQube or Checkmarx into your CI/CD pipeline for continuous vulnerability detection through static and dynamic analysis. Ensure these scans are triggered after every code commit, and set up immediate notifications so that developers learn about vulnerabilities as soon as they’re flagged.

  2. Implement role-based access control (RBAC): Define roles and responsibilities within your organization and configure RBAC in tools like Jenkins. Regularly audit roles and permissions to ensure they align with the principle of least privilege. With fine-tuned access control policies, you can get peace of mind that your source control tools are not compromised.

  3. Prioritize version control: Use platforms like GitHub or Bitbucket for efficient version control and auditing. Regularly audit commit history and use .gitignore to exclude sensitive files. Implement pre-commit hooks to prevent committing secrets.

  4. Automate testing: Integrate tools like Wiz into CI/CD pipelines for continuous security assessments. Regularly update and refine test cases to ensure they cover current vulnerabilities.

wiz blog

Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access

How IBM Cloud caught us exploring its infrastructure and how a hardcoded secret eventually led to build artifact access and manipulation

Read more

Cloud vendor security

Cloud vendors offer infrastructure, platforms, and software services that are essential for developing, hosting, and distributing software products. That’s why cloud vendor security is a pivotal part of safeguarding the software supply chain.

Inadequate security measures at the cloud-vendor level can lead to vulnerabilities across the supply chain, potentially compromising the integrity, availability, and confidentiality of software products. This can result in breaches, unauthorized access, and data loss, eroding trust with customers and users. Here’s how to achieve robust cloud vendor security:

  1. Implement multi-factor authentication (MFA): A crucial security measure can be achieved by an additional layer of security in the form of MFA. It's especially important that admin accounts defend against phishing and other cyber threats using factors like WebAuthn or YubiKey. 

  2. Leverage the principle of least privilege: Regularly review and update user roles and permissions, ensuring users have only the access they need. This minimizes potential damage from breaches or insider threats to your cloud vendor tools.

  3. Integrate data encryption: Encrypt data both at rest and in transit using strong encryption standards to maintain confidentiality and integrity, and frequently change encryption keys.

  4. Bolster awareness: Hold regular training sessions for your teams that cover security best practices, helping everyone stay informed about the latest threats and mitigation techniques.

wiz academy

Principle of Least Privilege (POLP)

The principle of least privilege (PoLP) is a cybersecurity concept in which users, processes, and devices are granted the minimum access and permissions necessary to perform their tasks

Read more

Additional security practices

We’ve seen how you can secure different elements of your software supply chain, such as containers, but some best practices defy easy categorization. That doesn’t make them any less important, though. Here are three additional security best practices you should follow to secure your software supply chain:

  1. Automate your security workflows: Automating your security response ensures that remediation is executed immediately when security threats and vulnerabilities are detected, reducing your mean time to repair (MTTR).

  2. Integrate observability tools: Given the dynamic nature of containers and other tools that support your application, it's important to implement security monitoring tools that provide granular visibility into your security posture—allowing you to quickly detect anomalous behaviors and respond to incidents.

  3. Regularly audit systems and emphasize incident response planning: Conduct regular audits of your setup and the processes involved in your software supply chain. It’s also a good ideal to have a well-defined incident response plan for potential security incidents and threats. After each audit, update these plans with any new insights.

Conclusion

As we’ve seen, securing the software supply chain is crucial—now more than ever. Software supply chains involve multiple components, each with unique security challenges, and neglecting best practices can lead to severe consequences.

We discussed several effective strategies, such as container security, robust CI/CD processes, and vigilant cloud vendor practices. By implementing these best practices, you can protect your organization against various vulnerabilities, ensuring the integrity and reliability of your software products.

Additionally, by integrating Wiz into your security strategy, you can further safeguard your software supply chain. Wiz offers a variety of supply chain security capabilities, including:

  • Agentless SBOM: Wiz provides agentless visibility into every software component in your environment, including packages, open-source libraries, and their versions. This gives you a complete picture of your software supply chain and helps you identify any potential risks.

  • Supply chain risk identification: Wiz can analyze your cloud environment to detect vulnerabilities, misconfigurations, and exposed secrets in first-party, OSS, or 3rd party components. This helps you to proactively address any security risks in your software supply chain.

  • Security from build to runtime: Wiz can help you to secure your software supply chain from the build to runtime phases. This includes scanning IDEs, code repositories, CI/CD pipelines, and runtime environments.

Secure Every Stage of the SDLC

Learn how Wiz is solving security challenges of Developer and DevSecOps team.

Get a demo

Continue reading

Credential Stuffing Explained

Wiz Experts Team

Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached.

Container Orchestration

Nicolas Ehrman

Container orchestration involves organizing groups of containers that make up an application, managing their deployment, scaling, networking, and their availability to ensure they're running optimally.

Native Azure Security Tools

Wiz Experts Team

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Cross-site scripting

Wiz Experts Team

Cross-site scripting (XSS) is a vulnerability where hackers insert malicious scripts inside web applications with the aim of executing them in a user’s browser.