3 Critical Best Practices of Software Supply Chain Security
Table of Contents
If your organization develops software and applications to deliver products and solutions, then more than likely you’re using third-party open source components to help create them. According to most estimates, open source components now make up over 80 percent of software products.
That means open source is now a critical part of the software supply chain. As such, it’s a prime target for bad actors seeking to infiltrate organizations’ software and applications by exploiting vulnerabilities in the code base. To protect your software and applications from exposure to such vulnerabilities, you need to follow a number of best practices. In this blog post, let’s briefly review the definition of a software supply chain and shine a light on some of the best practices of software supply chain security.
What is the Software Supply Chain?
Similar to the concept of a supply chain for manufacturing physical products, a software supply chain comprises the components, vendors, and technologies that a company uses to produce software. Elements of the software supply chain include:
- Third-party consultants and contractors
- Software components from external vendors used as part of the software project
- Open source components included in a software project
- Tools used by development teams
- Infrastructure used to develop and deliver the software
The software supply chain can be highly complex, typically including hundreds or even thousands of components, multiple teams, and a large number of third parties. Such complexity means that security is integral, requiring visibility, clear policies, and a process that is open to continuous improvement. Below are some of the best practices for software supply chain security.
Best practices: an overview
Managing and securing the frequent software updates, code changes, and the introduction of new code and functionality requires a continuous process that alerts developers and security teams to new vulnerabilities. Key best practices include the following:
- Maintain an inventory of open source components used by your applications with a software bill of materials (SBOM)
- Identify open source licenses and their implications on your organization, using licensing and compliance capabilities
- Shift security left
- Manage dependencies
- Automate remediation of vulnerabilities
Software Bill of Materials (SBOM)
Mapping out the supply chain and understanding which third-party components are present in a company’s software portfolio is critical to rapid detection and remediation of vulnerabilities. To do so, companies must generate a software bill of materials (SBOM) , which is a machine-readable list detailing all components and dependencies, and their current versions.
An SBOM provides visibility over security risks and the licenses used by open source components, which may present legal and compliance risks. If necessary, you can share your SBOM with customers or auditors to prove you have vetted your supply chain.
SBOMs are becoming a requirement for many users of enterprise software. Most notably, the US government now requires vendors to provide official SBOMs when selling software to federal agencies.
Licensing and compliance
There are more than 200 different open source licenses available for developers to use, which means that each piece of software comes with its own terms and conditions. Some require attribution. Others are more permissive, and some have no license at all.
In an agile development process, new code is added all the time, and along with the terms of the many pieces of legacy code, it can be difficult to keep a record of all the legal conditions and requirements that your organization should fulfill.
However, failure to do so raises the risk of non-compliance, which can have serious consequences. You may be forced to replace a component, a s. time-consuming and inconvenient process that slows down software development. Worse, you could be subject to legal infringement claims, which could jeopardize any exclusive ownership you claim over code built with improperly licensed components.
Your development teams could try to track licenses manually, but that’s a painstaking and error-prone process. Ideally, you need a solution that automates this process.
With Mend, it’s all automatic. Whenever you add a new open source component, our solution identifies its license and any licenses attached to any of its dependencies. You can also create your organization’s own license policy by defining a list of automatically approved licenses, a list of automatically rejected licenses, and a list of licenses that need to be approved on a case-by-case basis. All approvals are tracked, signed and archived within Mend’s system for later access.
With your policy now in place, you receive alerts for any potential policy issues as you develop your software, so you are well-informed about them before you decide whether to include components in the software that you’re building. Our solution also automates licensing applications and copyright creation (EULA), so complying with license terms is quick and easy.
Shift security left
Software development used to follow a linear “waterfall” process, similar to a production line in manufacturing, with quality assurance (QA) teams testing developers’ output and sending it back for them to alter code and fix vulnerabilities. Today, organizations use a more agile process, involving cross-functional teams that are jointly responsible for software development and operations throughout its life cycle. As a result, development speed has increased significantly, the time needed to develop software has plummeted, and most organizations release software several times a month, or even multiple times per day.
In agile development, organizations must be able to rapidly test components and deliver software in a way that’s “developer-friendly.” It has encouraged a new working pattern in which responsibility for security and compliance is shifted to the purview of developers — shifted left — in the DevOps pipeline. In practice, it largely means enriching CI/CD processes to detect problematic licenses and vulnerabilities before they reach the main branch or production.
Shifting left has become increasingly popular and significant because it is easier and cheaper to fix issues that are found earlier in the software development lifecycle (SDLC).
Manage dependencies
Modern software uses a large and growing number of dependencies. Enterprise software projects use hundreds of open source components, each of them with hundreds or even thousands of dependencies. A majority of the code base today consists of open source code, which was not written by the organization and which it cannot control.
While open source components can themselves have vulnerabilities, the bigger challenge is their transitive dependencies. A dependency of a dependency, switched without the organization’s knowledge, could present a severe security risk.
To address this problem, organizations must put in place automated vulnerability scanning that provides visibility over the entire dependency graph. If a vulnerability is found in a dependency or a transitive dependency, the open source component must be remediated or replaced.
Automate remediation
It stands to reason that the best way to safeguard your applications is to mend any vulnerabilities that you identify. However, most legacy application security tools are designed to detect problems and alert users rather than actually fix the problems. Many provide developers with links to click so they can research how to fix each security issue they encounter. That’s cumbersome and time-consuming, especially when the pressure is on developers to build software and applications quicker than ever. As a result, developers are often forced to choose between conducting due diligence for security and meeting deadlines.
What’s needed is an application security platform that can automatically fix the vulnerabilities as well as detect them, preferably within developers’ regular workflow. This makes the solution easy, fast ,and seamless to use, so that developers no longer have to make the choice between security and speed of delivery.
Supply Chain Security with Mend
Mend offers an application security platform that provides the most comprehensive supply chain and application security in the market. The Mend Application Security Platform includes:
- Mend Supply Chain Defender — providing malware detection and blocking
- Mend SCA — the market-leading software composition analysis product that helps you identify and fix open source software vulnerabilities as well as generate SBOMs for all of your applications
- Mend Renovate — the industry-standard dependency update solution
- Mend SAST — static code analysis tool that saves your developers time by showing them how to automatically remediate custom code security flaws
Mend Application Security Platform
Mend’s Application Security Platform overcomes all the challenges that developers and DevOps face when seeking to secure their software supply chain. It’s fast and easy to use. Mend works with the developer, almost invisibly, to prevent them from introducing new security vulnerabilities, and to help them fix existing vulnerabilities.
Mend actually automates the process of fixing vulnerabilities, which is something that no other application security program does as comprehensively. We show users exactly what they need to do to fix problems — the exact changes that are needed. We deliver automated remediation advice for both open source and custom code issues. And we deliver it directly in the repository, for easy integration into the developer workflow. All the developer needs to do is go through a few mouse clicks to accept our recommendations. No other product does this.
Mend’s automation is also different from the competition. Our products require far less configuration and can be deployed once for the entire enterprise. As a result, enterprise-wide adoption of Mend occurs far more rapidly and completely than with other application security solutions.
Mend Supply Chain Defender
You can protect yourself from software supply chain attacks with Mend Supply Chain Defender, our advanced product for malware detection.
Mend Supply Chain Defender scans packages and analyzes their behaviors. It provides granular control over the dependencies permitted within your organization. And it enables you to take action based on real-time production notifications, inspect changes in packages before they are allowed, and define policies to allow or block package downloads, based on your organization’s specific needs and processes. It Integrates with package managers (currently JavaScript and Ruby) to block installs and downloads of the packages before they have any chance to exploit.
With Mend Supply Chain Defender, you can apply Zero Trust strategies to your software supply chain, increasing your visibility into third-party libraries, to prevent any installation of malicious packages or malicious updates of existing packages from the earliest stages of the software development life cycle.
Supply Chain Defender enables you to protect yourself against typosquatting attacks, malicious takeovers, ATO attacks, makefile pollution, bitcoin mining, accidental injections, botnet code injections, environment and credential stealing, viruses, package tampering, package CVEs, JavaScript CVEs, Ruby CVEs, brandjacking, and dependency confusion.
Since its public launch in early 2020, Mend Supply Chain Defender has detected over 350 known malicious packages on the Rubygems registry, and over 1400 malicious packages on NPM since late 2021.
Mend SBOM
For inventory management, you can deploy Mend SBOM, a feature of Mend SCA. This tool quickly and easily creates a software bill of materials (SBOM) and provides a path to remediation when vulnerabilities are identified. It enables you to generate SBOMs that identify open source libraries, track, and document components — including direct and transitive dependencies, and automatically update when changes are made. Mend SBOM provides deep inspection and insight that make it possible to identify unintentional or malicious content being installed during application builds. When vulnerabilities are identified, Mend SBOM provides a path to remediation that ensures updates won’t break the build.
Mend Renovate
And to manage your dependencies, Mend offers Mend Renovate, the industry-standard dependency update solution for software developers, that automatically resolves outdated dependencies, saving developers’ time, reducing risk, and mitigating the impact of security vulnerabilities. With Renovate, you can automatically and efficiently keep dependencies up-to-date, integrating this process into any DevOps workflow.
Mend Remediate
One of the most reliable risk mitigation strategies is to keep your open source components continuously patched to avoid being exposed to known vulnerabilities. Another feature of Mend SCA, Mend Remediate, helps you achieve this.
Mend Remediate supports GitHub (server and cloud), GitLab and Bitbucket (server) repositories, automates the entire process for detecting vulnerable or outdated components, identifies the latest available version and generates a pull request that can be applied with one click.
Automated remediation workflows can be initiated based on security vulnerability policies triggered by a vulnerability detection, vulnerability severity, CVSS score or when a new version is released. By automating this process, Mend helps you remediate vulnerable libraries faster, reduces security and quality risks, and saves your developers precious time.