Kubernetes Security Blog | RAD Security

Mind the Gap: How to Bridge the Remaining Voids in Software Supply Chain Security | Insights from Industry Experts

Written by RAD Security | Jul 5, 2024 9:59:33 PM

Imagine a world where a single line of code could compromise the supply chain security of thousands of organizations worldwide. This isn't the plot of a sci-fi thriller—it's the reality of today's digital landscape.

In a recent webinar, RAD Security took a deep dive into this pressing issue with two veterans of the cybersecurity world: Jimmy Mesta, co-founder and CTO of RAD Security, and Chris Hughes, president and co-founder of Aquia. 

Our discussion explored the hidden vulnerabilities of software supply chain security, revealing the invisible threats embedded in the code that powers our digital lives. What they uncovered was both alarming and hopeful. The threats are real and growing, but so are our capabilities to combat them. 

As you listen in, prepare to have your understanding of software supply chain security challenged and expanded. 

Whether you're new to securing cloud-native environments or a seasoned professional, the insights shared from our conversation may make you rethink your approach to cybersecurity.

 

The Rise of Software Supply Chain Attacks

 

Our discussion kicked off with a sobering look at the recent surge in software supply chain attacks. The SolarWinds hack of 2020 served as a wake-up call for many, highlighting the vulnerabilities in our interconnected software ecosystems. Despite that wake-up call, attacks have continued to breach the software supply chain. 

Attackers have become equal opportunists, Hughes noted. They're targeting commercial software, open-source components—anything that can give them a foothold in thousands of systems at once.

This shift in strategy makes sense from an attacker's perspective. Why struggle to breach individual organizations when you can compromise a single software supplier and potentially affect thousands of downstream users? 

 

“Most customers and consumers simply aren't in a position to understand all the vulnerabilities and risks, and many aren't security experts, you know, they don't work in this field like you or I,” Hughes said. “They're simply using these products. So they're relying on suppliers to do the right thing and put the right practices and governance and guardrails in place.”

 

It's a reminder of the responsibility that software providers bear in securing their own systems, and those of their entire user base.

 

Regulatory Landscape and Best Practices

 

As the digital dust from these attacks settles, governments are scrambling to erect strong defenses. 

Mesta and Hughes discussed recent efforts like the Cybersecurity Executive Order and various agency guidelines aimed at improving software supply chain security. 

While these initiatives are a step in the right direction, Hughes highlighted an interesting paradox: we're “best practices rich but implementation poor.”

In other words, there's no shortage of guidance on what organizations should be doing, but putting these practices into action remains a significant challenge.

We can't wait years to solve this, Mesta noted.

”How do we unwind this problem and deconstruct it in a way where you could actually put the onus on the software supplier in a meaningful amount of time?” Mesta said. “We don't have ten years, right?”

But therein lies the dilemma: how do we secure our software without stifling the very innovation that drives our digital world forward? It's a complex issue that requires careful consideration of software liability and what constitutes "secure enough" development practices. 

Move too slowly, and we leave ourselves vulnerable. 

Move too quickly, and we risk slowing technological progress. 

The solution, it seems, lies not in choosing one over the other, but in finding a way to do both.

 

A Practical Approach to Supply Chain Security: Crawl, Walk, Run

In the face of this challenge to software supply chain security, Mesta offered a methodical solution to building our defenses. 

Start with the basics, he advised. Software Bills of Materials, vulnerability management—these are your foundation.

From there, the path leads to more advanced techniques: image signing, mission control, and ultimately to the bleeding edge of security technology. 

It's a journey from crawling to walking to running, each step building on the last. In practice, it might look something like this: 

 

  1. Crawl: Start with basic measures like implementing Software Bills of Materials (SBOMs) and fundamental vulnerability management.
  2. Walk: Move towards more advanced practices like image signing and admission control.
  3. Run: Implement cutting-edge techniques like runtime signatures and verifiable workload fingerprints 

 

The Future of Defense: Cloud-Native Workload Fingerprints



As our conversation reached its end, Mesta unveiled RAD Security's groundbreaking work on cloud-native workload fingerprints.

Picture a world where every piece of software has a unique, verifiable signature of its behavior. Any deviation from this signature—any unexpected process, any suspicious network connection—would trigger alarms instantly.

“What if you could have a world where the folks at SolarWinds had this fingerprint and said, this is how our software works, right?” Mesta said. Yeah. It's complex. Yeah, it makes some internet calls. It does these certain things. But this is what we we have approved. And then the minute somebody runs it and it starts to deviate wildly from that pre-approved, verified runtime state, then let's just stop that execution process.”

 

 

The idea is to create a verifiable baseline of how software should behave at runtime. Any deviations from this approved state could then be automatically flagged or blocked, potentially stopping attacks before they can cause damage. It's a promising approach that could help us move beyond the reactive "whack-a-mole" game that characterizes much of current cybersecurity practice.

It's a future where we're no longer playing catch-up with cybercriminals, but staying one step ahead.

 

 

Looking Ahead

As our discussion drew to a close, the message from both Mesta and Hughes was clear: The methodologies that have served us in the past are no longer sufficient in addressing the evolving challenges in software supply chain security.

But with challenge comes opportunity. The innovations discussed in our webinar—from regulatory frameworks to cutting-edge technologies—offer a path forward. It's a path that requires collaboration, creativity, and a willingness to rethink our approach to security from the ground up.

The software supply chain is the invisible backbone of our digital world. Securing it is more than a technology issue—it's a mission critical to the future of our digital society. As we face this challenge, one thing is certain: the solutions we develop today will shape the digital landscape of tomorrow.

The battle for software supply chain security is on. Are you ready to join the fight?