Software supply chain attacks, such as SolarWinds and NotPetya, have been in the news for the past few years. In such attacks, a vendor’s source code is compromised and used against the vendor’s customers.
The chances of an organization being hit by one of these attacks skyrocket. Software supply chain attacks increased 430% in 2020 and 650% in 2021, according to Sonatype Inc.
To mitigate software supply chain attacks and avoid compromise and bad publicity, it is important to follow source code security best practices for code written by internal developers and third parties.
1. Acquire secure external source code
Verify the legitimacy of all source code acquired from third parties, whether for internal use or if you plan to bundle it with products or services. Only download source code from authoritative websites and use integrity verification measures, such as verifying cryptographic hashes. Rely on automation to avoid human error, such as typing a URL incorrectly or forgetting to compare cryptographic hash values.
2. Protect source code access and storage
Store source code in well-secured code repositories. Grant only necessary permissions to people, apps, and services, and pay special attention to permissions to allow source code changes. Authenticate each repository user with edit permissions (human or not) and configure repositories to keep audit logs of all edits. Require developers to store all third-party source code in code repositories.
3. Analyze the source code
Whether you write or acquire your source code, use static analysis tools to scan for vulnerabilities and malicious code. Don’t just scan the code when acquired. Have tools that scan frequently, even continuously. While the tools can do most of the work, people should review and investigate what the tools find. Make sure your incident response plans and processes are prepared to handle the discovery of malicious code.
4. Identify Source Code Components
The security and software development communities increasingly recognize the importance of knowing what source code components are in the software used and acquired by companies. Watch for announcements of new vulnerabilities in these components. Knowing about these vulnerabilities will help security teams mitigate new threats faster.
Source code is increasingly accompanied by a software bill of materials, which lists its components. Alternatively, security teams can use source code composition analysis tools to help identify third-party components in use.
This was last published in May 2022
Go Deeper into Application and Platform Security