Software Supply Chain Security Checklist for InfoSec

Import Process Controls

The majority of supply chain attacks are still aimed at compromising public repositories.

While most organizations have no direct control over the public repositories they use, there are a number of  controls that can help create a secure import process:

• Verify the identity of uploader(s)/ author(s) haven’t suddenly changed
• Verify that at least two reviewers have reviewed the submission
• Verify that the timestamp of the submission is valid
• Verify the revision history. A lack of history can be indicative of typosquatted packages.
• Verify the URL/ immutable reference to counter dependency confusion*

*can occur when a build system mistakenly pulls in a similarly named dependency from a public repository rather than your private repository

Public repositories are usually very quick to resolve common issues, such as typosquatting. Simply creating a quarantine service for packages that fail the above criteria can be an effective way to deal with imported components that are suspect.

Build Process Controls

You and your vendors’ dev environment are now the security frontline for your customers. Following best practices such as those listed below can help protect and secure development environments:

• Builds are scripted and have no manual inputs
• Builds are run by a dedicated service (as opposed to on a developer’s workstation)
• Build steps are executed in ephemeral environments that are discarded at the end of the step
• Build steps are executed independently in isolated environments
• Build steps are executed in hermetic environments that have no public network access
• Builds are reproducible

Putting these controls into practice can thwart common attack vectors like tampered build scripts, unconstrained packages, and dynamic packages that attempt to include remote resources.

Consume Process Controls

Implementing secure import and build processes go a long way to ensuring the code you run is also secure. However, you’ll still want to ensure the packages you consume are signed, and that the signature includes the following information via a cryptographic hash:

• Output artifact
• Build system used
• Source (ie., an immutable reference to the build script)
• Transitive dependencies (ie., dependencies of dependencies)
• Build parameters, if any

Software Supply Chain Security Checklist

As organizations navigate the complexities of modern software development within their ecosystem, understanding the pivotal role of a secure software supply chain is paramount. A robust CD pipeline integrated into DevOps practices is essential for efficiently delivering software while mitigating security risks. By implementing Software Bill of Materials (SBOM) and conducting comprehensive security checks, including scanning for malicious code, organizations can bolster their cybersecurity defenses and safeguard against potential threats. ActiveState’s CISO Guide provides invaluable insights into secure software development practices, emphasizing the importance of source code integrity and the proactive identification and mitigation of vulnerabilities to ensure a resilient and secure software ecosystem.

Furthermore, the guide underscores the significance of integrating SBOM into the software development lifecycle, enabling organizations to track and manage their software components effectively. By proactively addressing cybersecurity concerns and fortifying the CD pipeline with secure software practices, companies can mitigate the risks posed by malware and other security threats. With ActiveState’s expertise in secure software solutions, organizations can confidently navigate the evolving landscape of software development, ensuring the integrity and security of their software ecosystem.

In today’s software development landscape, leveraging frameworks and platforms like GitHub is commonplace, underscoring the importance of robust security measures. Authentication mechanisms play a pivotal role in ensuring that only authorized personnel can access sensitive resources, highlighting the significance of implementing stringent access controls. Security teams must remain vigilant, continuously monitoring for security issues and promptly addressing any identified vulnerabilities. Third-party software integration is common practice, but it introduces additional security risks. By adhering to security best practices and implementing workflows that prioritize security at every stage, organizations can minimize the potential impact of security incidents. ActiveState provides comprehensive solutions designed to enhance security across the software development lifecycle, empowering teams to navigate these challenges with confidence while safeguarding their digital assets and ensuring the integrity of their workflows.

Development teams must proactively address known vulnerabilities and minimize their attack surface to bolster application security, effectively fending off hackers and safeguarding against potential breaches. Conducting rigorous risk assessments and implementing robust Software Composition Analysis (SCA) tools are essential components of maintaining a secure coding environment and enhancing the overall security posture of open-source software (OSS) projects.

ActiveState Platform: Turnkey Supply Chain Security

Implementing all the controls listed above can be both time and resource-intensive. The shortcut most organizations rely on is to pick a trusted vendor and exclusively use their signed packages. Unfortunately, this method can be compromised when:

• Developers install a package directly from the public repository
• Attackers compromise the development environment of trusted vendors prior to the signing service, such as happened with SolarWinds and Codecov.

Instead, consider using the ActiveState Platform to secure your Python, Perl and Tcl supply chains. It implements many of the best practices listed here in order to create verifiably reproducible builds in which the provenance (ie., the origin) can be established for each artifact.

Rather than cobbling together custom code and multiple solutions from multiple vendors, the ActiveState Platform can provide an out-of-the-box, end-to-end solution saving organizations considerable time, resources and money.

You can try the ActiveState Platform by signing up for a free account at platform.activestate.com

About ActiveState

ActiveState is the de-facto standard for millions of developers around the world who have been using our commercially-backed, secure open source language solutions for over 20 years. With the ActiveState Platform, developers can now automatically build their own Python, Perl or Tcl Environments for Windows, Linux or Mac—all without requiring language or operating system expertise.

How  to try the ActiveState Platform for your Python, Perl and Tcl projects?

Developers can sign up for our Platform and use it to build a runtime environment for their Python or Perl projects right away. Or they can install it via the command line using the snippet provided here.

Upto 5 Active Runtimes per organization (or per individual, if for personal use) are free. For information on team tier or enterprise pricing, refer to our Platform Pricing or else contact Sales.

Related Resources:

Survey Report: State of Software Supply Chain Security

Data Sheet: Securing Your Open Source Supply Chain

Data Sheet: Speeding Open Source Vulnerability Remediation