Organizations ought to implement the Supply Chain Levels for Software Artifacts (SLSA) framework when constructing software program to make sure higher software program safety and integrity, advocates Google — after the tech large did a deep-dive into greatest practices for securing the software program provide chain.
In a report out on Dec. 9, Google laid out a number of suggestions for bolstering provide chain safety, together with the necessity for organizations to tackle extra direct accountability for open supply software program, and taking a extra holistic method to addressing dangers comparable to these offered by the Log4J vulnerability and the SolarWinds breach.
Google’s report on software program safety is the primary in a brand new “Perspectives on Security” analysis sequence that examines rising safety developments and find out how to deal with them. The report’s launch comes on the second anniversary of the SolarWinds breach disclosure, and its suggestions are based mostly on Google’s evaluation of that incident in addition to quite a few different software program provide chain breaches since then. Those embody incidents at Codecov, Kaseya and people involving public code repositories comparable to PyPI.
The breaches have made software program provide chain safety a prime merchandise on the enterprise IT agenda. A latest report from Mandiant recognized provide chain compromises as contributing to 17% of all intrusions in 2021, up from lower than 1% only a 12 months earlier. Supply chain points had been, actually, the second most frequent preliminary intrusion vector after software program vulnerability exploits in 2021.
Two Main Takeaways for Security Decision-Makers
“There are two foremost key takeaways from this report that enterprise IT and safety choice makers ought to think about that can assist them securely construct and confirm the integrity of software program,” says Royal Hansen, vice chairman of engineering at Google.
The first, as talked about, is that safety leaders have to deal with adopting a extra holistic method to strengthen defenses in opposition to software program provide chain assaults: “Organizations must also implement the SupplyChain Levels for Software Artifacts (SLSA) framework to make sure the safety neighborhood mitigate threats throughout your complete software program provide chain ecosystem,” he says.
SLSA (pronounced “salsa”) supplies software program builders a cadre of controls and practices to make sure software program safety and integrity throughout your complete software program growth life cycle by manufacturing. One of its key targets is to present organizations a option to forestall and detect tampering of the type that occurred at SolarWinds, the place an adversary inserted malicious code into — and distributed it by way of — a signed software program replace.
SLSA is a prescriptive guidelines, that means it spells out the steps that organizations have to take. That contains, for example, verifying the provenance of all open supply and third-party parts of their software program, and for guaranteeing there’s been no tampering with the software program.
Among different issues, it additionally requires that organizations retain supply code indefinitely and have the flexibility to confirm the integrity of their software program with tamper-proof provenance info.
Google perceives the SLSA framework as permitting organizations to optimize the advantages of issues like a software program invoice of supplies (SBOMs), i.e., a listing of all of the parts in a selected piece of software program.
Assuming More Responsibility
One of the opposite keys to bolstering provide chain safety at an business stage is for organizations to safe their very own open supply and proprietary software program provide chains, Google stated.
This means guaranteeing that every one software program they construct or purchase from different sources implements baseline safety requirements and controls. As an instance, Google pointed to the Minimum Viable Secure Product (MVSP) necessities for enterprise-ready software program that it developed in collaboration with a number of different corporations, together with Okta, Salesforce, Slack, and Venafi.
MVSP is a guidelines of baseline safety controls {that a} software program developer should implement, at a minimal, to make sure a fairly safe product. The guidelines contains issues comparable to whether or not the software program vendor or writer publishes vulnerability stories, conducts self-assessments and exterior testing, and implements practices comparable to SSO, HTTPS, and safety headers.
Software purchasers can use the baseline to evaluate whether or not a product meets these necessities, whereas bigger corporations can incorporate MVSP as their customary questionnaire when triaging the safety posture of their third-party software program suppliers, Google stated. Procurement groups can embody them in requests for proposal (RFP) paperwork and use it as safety baseline for vendor choice, Google stated.
Hansen says safety leaders and practitioners can even take different measures to bolster software program provide chain safety. “Findings from the report recommend a necessity for a extra thorough understanding of software program provide chain networks, identification of potential dangers and implementation of risk-mitigation plans, and the institution of safety necessities for software program procurement,” he notes.
Security organizations can play a job as nicely by, for instance, funding the Open Source Security Foundation (OSSF) and the open supply software program mission maintainers who discover and repair safety vulnerability in open supply code, Hansen says.