Software Supply Chain Security: Don’t Get Your Code Tampered
Recent events such as the SolarWinds and Kaseya incidents have demonstrated the need to focus significantly more on software supply chain security. Thus, avoiding code tampering by external attackers and internal parties is essential. This whitepaper looks at how to increase security throughout the Software Lifecycle and implement a multi-layered, defense-in-depth code tampering prevention and detection strategy.
Commissioned by Cycode
1 Executive Summary
Software security has gained massive awareness since the end of 2020 due to two major attacks on software supply chains. Both the SolarWinds and the Kaseya attacks affected the systems of many clients and put an increased focus on the need for improving software security.
The SDLC (Software Development Lifecycle) and the entire DevOps cycle, from creating software to running it in the cloud or any other environment, have become massively more complex over the past few years. This complexity is mainly due to the number of tools involved in managing code, such as Source Control Management (SCM) systems, as well as in building applications and deploying and operating code. Unfortunately, this complexity leads to a broadened attack surface.
From the SCM, where both application code and infrastructure-as-code are managed, to cloud-based build and runtime environments, the attack surface includes a multitude of tools that make up the CI/CD pipeline. Moreover, the high degree of integration and automation across the entire pipeline allows for lateral movement of attackers.
Therefore, securing the entire SDLC is both a challenge and an imperative. Code Tampering Prevention is a key element within software securityand helps prevent internal or external attacks that tamper with code to create malicious software. Attackers might alter code or inject malicious code at any point, so code tampering prevention must span the entire pipeline.
Successful implementation of a secure SDLC with strong code tampering prevention, therefore, requires solutions that cover all stages of the software delivery pipeline from the SDLC to the runtime environment in an integrated manner.
Cycode delivers a software supply chain security solution that builds on a common set of policies, covering a range of capabilities including critical code monitoring and file integrity verification, and implementing security policies consistently across the entire pipeline. This allows organizations to implement a comprehensive solution for code tampering prevention, beyond isolated solutions such as SAST/DAST (Static/Dynamic Application Security Testing).