Software Supply Chain Security for Cloud-Based Development

Cloud Supply Chain Threats
Software supply chain security threats can arise in any type of development pipeline, and impact any type of application or service. There are a number of software supply chain security initiatives gaining ground (Google’s SLSA, NIST’s Secure SDLC, etc), but they have yet to achieve widespread adoption. In the meantime, it’s still “user beware” when it comes to importing third–party code and ensuring your build and distribution systems have not been compromised.For example, if attackers compromise a monitoring tool that your business relies on (as they did in the infamous SolarWinds attack of 2020), the resulting security risk can impact your software supply chain, and even pose a threat to your customers downstream. More commonly, relying on open source libraries to create software applications exposes your organization to supply chain risks ranging from open source vulnerabilities to typosquatting to malware, among other threats.

Software development in the cloud is no different. Most cloud providers, like much of the software industry to date, have yet to implement solutions to protect their customers from software supply chain threats. In fact, if you build your software in the cloud (on AWS, Google Cloud, Microsoft Azure, or similar cloud provider), you may be faced with unique supply chain security issues that don’t apply in other contexts.

That’s why understanding the special challenges related to supply chain security for cloud-based development is critical if you’re thinking of moving development operations to the cloud, or if you’re already there and you want to shore up your security. To help you get started, this blog explains which types of unique supply chain risks arise in cloud-based development environments and how to address them.

In today’s dynamic software development landscape, characterized by the integration of DevOps methodologies, a rapidly evolving ecosystem, and the widespread adoption of Software as a Service (SaaS) solutions, ensuring robust software supply chain security is paramount to achieving scalability and maintaining trust throughout the software development lifecycle.

What Is Software Supply Chain Security in the Cloud?

Software supply chain security is the process of detecting and remediating cybersecurity risks that arise within an organization’s software supply chain, which includes third-party software components included in application code, services/APIs called by your application, as well as development tools and services (such as CI/CD).

These on premise software supply chain threats also apply when developing applications in the cloud. Cloud-based development provides many benefits (ease of environment setup, application deployment and resource scaling), but it also introduces a number of additional supply chain concerns, including unpatched cloud-based services/software, as well as limited control/visibility for cloud-based resources.

Keep in mind that many organizations do not create applications solely on premise or in the cloud, but rather a hybrid of the two. For example, code may be created on premise, checked into a cloud-based versioning system like GitHub or GitLab, and built using a cloud-based service like Azure Pipelines.

It bears emphasizing that if you rely on any type of cloud-based software within your development pipeline, your organization is susceptible to cloud-based software supply chain threats.

The Unique Risks of Supply Chain Security in the Cloud

Generally speaking, the types of supply chain threats found in the cloud do not differ from those found on premise. The real difference is in how those threats manifest due to the fact that you often have limited visibility and control over cloud resources. Typical threats include:

  • Vulnerabilities in third-party code and services
  • Malware in third-party code and services
  • Insecure configurations that are inherited or borrowed from third-party tools
  • Improperly implemented access controls

Let’s look at how these threats manifest themselves in the cloud.

Infrastructure As Code Supply Chain Threats

In large cloud-based environments, you are probably more likely to automate infrastructure setup using an Infrastructure-as-Code (IaC) platform and configuration files provided by your cloud vendor or another third party. If those configurations contain risks like insecure access controls, the risks will flow “down chain” into your environment.

Of course, you might use IaC templates to configure on-premises development environments, as well. But because those environments are typically not as standardized as those in the cloud, you probably wouldn’t rely as extensively on third-party templates to configure them, so your supply chain risks are not as pronounced in that respect.

Cloud Software Supply Chain Threats

Using a cloud-based build or code versioning service could introduce risks into your own software if they allow attackers to gain unauthorized access to your CI/CD pipeline or plant malware inside your code.

But this also applies to environments that you spin up in the cloud based on templates offered by the cloud provider. In order to accommodate a wide range of configurations, these templates often incorporate older versions of resources (think of a LAMP stack that includes an older version of MySQL for instance) that may have unpatched vulnerabilities. User beware.

Software supply chain attacks underscore the critical importance of robust software supply chain management practices, highlighting the need for comprehensive risk assessment and mitigation strategies to safeguard against potential vulnerabilities introduced through third-party dependencies and components.

Limited Control and Visibility

Finally, when using cloud provider-managed development tools or services, it’s extremely unlikely you will be granted direct access to the infrastructure that hosts them. This means trusting your provider to implement security hardening best practices, continuous monitoring, and regular security audits to ensure their infrastructure (and your development environment that runs on it) is safe.

Conclusions: Creating a Secure Cloud Supply Chain

Trust is a key benefit every cloud provider that wants to attract (and stay in) business must provide. As such, most are diligent about ensuring that their infrastructure is secure, and that vulnerabilities in the software and services they provide are addressed in a timely manner.

Unfortunately, the software supply chain extends beyond these mere table stakes requirements. While some cloud providers like Google are beginning to realize the threat the software supply chain poses, and have begun to introduce new services (like software attestations in the form of Binary Authorization), most cloud providers have yet to make it a priority. At this point, they simply cannot guarantee that every cloud-based development service you use, or resource you pull, is free of malware or configuration risks that could lead to breaches.

That’s why it’s up to you – the user of cloud-based development environments – to identify and mitigate software supply chain risks. Doing so is the only way to take advantage of the benefits that cloud-based development offers without letting the cloud become the weakest link in the security of your software supply chain.

Maintaining a strong security posture is essential for safeguarding sensitive data and preventing disruptions in cloud-based development environments, emphasizing the significance of proactive measures to mitigate risks associated with software supply chain vulnerabilities.

Next steps:

One way to help secure your cloud-based software supply chain is to work with prebuilt runtime environments, rather than pulling prebuilt packages on demand from open source repositories, which provide no guarantee as to their security and integrity. The ActiveState Platform securely builds dependencies from source code in an automated and repeatable manner, and packages them for any OS. You can then pull these secure runtimes into your workflow (be that setting up dev, CI/CD or production environments) with a single command, eliminating a key weak link in most cloud-based software development supply chains.

Read Similar Stories

InfoSec Leader’s Guide to Fixing the Software Supply Chain

White Paper: The Open Source Supply Chain Can Be FixedAppSec leaders can use this guide to investigate the current state of their development processes and mitigate the risk associated with working with open source software.

Learn more >

datasheet python build service

Data Sheet: ActiveState Platform’s Secure Build ServiceRead how you can use the ActiveState Platform to secure your builds and as a result secure the weakest link in your software supply chain.

Learn More >

Google Cloud Build Flow

Solving Reproducibility & Transparency in Google Cloud Build CI/CD PipelinesLearn how to work with prebuilt runtime environments on Google Cloud Platform to limit software supply chain threats.

Learn More >

Recent Posts

Tech Debt Best Practices: Minimizing Opportunity Cost & Security Risk

Tech debt is an unavoidable consequence of modern application development, leading to security and performance concerns as older open-source codebases become more vulnerable and outdated. Unfortunately, the opportunity cost of an upgrade often means organizations are left to manage growing risk the best they can. But it doesn’t have to be this way.

Read More
Scroll to Top