Home >> Blog – EN >> How to protect yourself from a “Supply Chain Attack”?

How to protect yourself from a “Supply Chain Attack”?

12 April 2023

By Yann Albou.

Broken Chain

What is a Supply Chain Attack, how to best protect yourself and what are the technical solutions for our CI/CD in a DevSecOps approach. In this series of articles we will present the concepts and discuss the aspects close to development, the continuous integration and continuous delivery part, as well as the operational aspects.

Understand and identify the notion of supply chain attack

Historically our security was mainly centered on a perimeter defense with the representation of the wall of a castle. Just as a castle is built to resist external attacks, a company implements security measures to protect its computer network from cyberattacks.

Today the attack vectors are multiplying and not necessarily on the most visible elements.

Attackers can circumvent this wall using a supply chain type attack. They will then seek to break into the network by exploiting vulnerabilities in the software or equipment provided by third-party suppliers. Just as castle attackers seek to find a crack in the wall to break in, attackers seek to exploit a vulnerability in part of the supply chain to break into the corporate network.

Thus, to ensure optimal security, the company must not only strengthen its own wall, but also monitor and secure its entire supply chain, ensuring that its suppliers respect the same standards of security and confidentiality than the company itself.

Broken Chain
We have moved from perimeter security to so-called “zero trust” security: Security applies to all of IT, not just the network but also identity, data, infrastructure, applications , … and the supply chain!

A supply chain attack is a cyberattack that seeks to harm an organization by targeting the least secure elements of the supply chain.

What are the impacts of an attack on the supply chain?

The impacts on the supply chain are of various kinds:

  • Data Breaches and Data Disclosure
  • Installation of malware
  • Financial loss
  • Apps malfunction
  • Resource Consumption

Examples of supply chain attacks

Here are a number of more or less recent examples of this type of attack:

Broken Chain

The Log4J example is interesting: This vulnerability called Log4shell (CVE-2021-44228) is zero-day involving the execution of arbitrary code. It has affected thousands of organizations and continues to do so because 1 year after this vulnerability, 30% of downloads still concerned versions affected by this problem!

The NPM case with the ‘colors’ & ‘faker’ libs is also very interesting because it was the developer who voluntarily introduced bugs and thus impacted thousands of applications. This case is complex to judge because it involves the eternal question of open source and its maintainability, but must raise questions about how to use our dependencies.

Through these few examples, which are multiplying, we see that it is increasingly important, even vital, to protect your software factory and the way in which we deliver our applications.

The target now becomes: Any supplier that relies on third parties to manufacture a product is vulnerable to supply chain attacks

How to effectively protect against this type of attack and what are the best practices related to DevSecOps?

The question is therefore how to protect yourself as much as possible against this type of attack and what are the best practices related to DevSecOps.

In this series of articles we will present some of these best practices with a focus on security in the Software Factory but we will not cover:

  • Security in general: VM’s, workstations, Viruses, …
  • Security in the sense of application code (Threat modeling, etc.)
  • This will not be product specific

This will be a set of non-exhaustive recommendations based on our feedback.

Recommendations based on our feedback

Broken Chain

Most of you already know what CI/CD (Continuous Integration / Continuous Delivery) is and the principles of automation, testability, quality, repeatability of build and deployment,… The purpose of this series of articles is not to describe these principles.
However, we will zoom in on several points of this chain by providing specific recommendations related to security, starting with:

  • The more upstream aspects, i.e. closer to development
  • Then the aspects of continuous integration and continuous delivery
  • And finally tackle the operational aspects

In order to facilitate the application of our recommendations, we have adopted a signage:

Broken Chain

How to protect your CI/CD from a “Supply chain attack”?

It will allow you to indicate:

  • Domain: the scope of the recommendation,
  • Type: the form of the recommendation, between the adoption of a tool, or the adoption of a good practice, or a change at the level of the organization
  • Mitigation: the type of risk mitigation: will we detect it more systematically, or reduce its possibility of occurring, or if inevitable minimize the impact and consequences
  • Effort: the indicative effort to implement it, deliberately vague because it depends on several maturity criteria

With Fabrice Vergnenègre we presented this topic on a 45m format at DevOps-D Day Marseille of which here is the video:

DevOps-D Day Marseille

Further reading

In the next articles we will discuss the different solutions to protect ourselves as much as possible from this type of attack.
In particular, we will address the following topics:

  • Publish your SBOM
  • Regularly update its dependencies!
  • Ensure the immutability of containers
  • Reduce the attack surface of containers
  • Eliminate secrets in containers & repos
  • Regular scanning system
  • Ensure component integrity
  • Isolate Registries & Promote Images
  • Set up GitOps
  • Kubernetes admission policy
  • Set up a strong RBAC
  • Risk observability solution
  • Fortify the Software Factory
  • Conclusion and evolutions of the Supply Chain

This is not an exhaustive list of good practices because they are constantly evolving and new threats emerge regularly.
But all of these themes improve the security of your Software Factory to be part of a DevSecOps approach where the development, operational and security teams work together effectively to make all the actions around the software supply chain.

Leave a Reply

  Edit this page