• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»The software supply chain: New threats call for new security measures
Security

The software supply chain: New threats call for new security measures

September 22, 2022No Comments8 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
The software supply chain: New threats call for new security measures
Share
Facebook Twitter LinkedIn Pinterest Email

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


The contemporary software supply chain is made up of the many components that go into developing it: People, processes, dependencies, tools.

This goes far beyond application code — typically the main focus of existing DevSecOps tools. 

Thus, today’s increasingly complex software supply chain requires a whole new security method. The quandary, though, is that many organizations struggle to not only secure their software supply chains — but to identify them.

“The challenge of securing the software supply chain is significant and complex for virtually every organization,” said Katie Norton, IDC senior research analyst for devops and DevSecOps. “And, the many entry points into the software supply chain constitute a significant risk that has gone unaccounted for in many organizations.”

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

A new approach

To address the growing issue, Chainguard today announced Wolfi, a new community Linux (un)distribution. It combines aspects of existing container base images with default security measures that will include software signatures powered by Sigstore, provenance and software bills of material (SBOMs). 

The company is also announcing Chainguard Academy, the first free, open source and interactive educational platform designed for software supply chain security. Additionally, its Chainguard Enforce platform is now generally available. 

“One of the biggest threats to securing the software supply chain is the way that we build software today,” said Dan Lorenc, Chainguard founder and CEO. “The tools we use to build software were not designed for the speed and scale of its use, which results in clunky architecture that is easy for bad actors to exploit or tamper with.” 

Governments around the world are asking questions and demanding guarantees in software. And while vendors — both existing and new — are providing tools, they fail to address the deeper problem: “The need for a fundamental shift in the way software is built,” said Lorenc. 

But first: Identifying the software supply chain

The latest IBM 2022 Cost of a Data Breach Report provided one of the first analyses of supply chain security, revealing that nearly one-fifth of organizations were breached due to a software supply chain compromise.

See also  iOS 16 and macOS Ventura include Apple’s new Rapid Security Response

One of the biggest hurdles: Simply recognizing and identifying all the different ways bad actors can exploit the software supply chain, said Norton. 

When people say “software supply chain security,” they often think of exploiting open-source software vulnerabilities such as Log4Shell. But this is only part of the attack surface. 

A few supply chain attack vectors Norton identified include misconfigurations and hard-coded secrets in infrastructure-as-code (IaC) and misconfiguration in the CI/CD pipeline that can expose sensitive information or can be used as an entry point for malicious activity. Another threat is compromised developer credentials, often the result of poor governance or failure to apply least-privilege principles.

Then there are hacking tools and techniques that are readily available on the web. “Advanced skills are not requisite for someone to breach your company’s software supply chain,” said Norton. 

The good news is that, with increased instances of exploits — and, with them, growing awareness — the software supply chain market is  “an evolving domain” with new competitors constantly entering the space, she said. 

Building in security from the start

As Lorenc explained, most of today’s workloads run on containers and distros were designed for an earlier era. This, coupled with new supply chain security risks, has exposed major gaps when running containers. 

For example, container images tend to lag behind upstream updates, meaning users are installing packages manually or outside package managers and running images with known vulnerabilities, he said. Many container images have no provenance information, making it difficult to verify where they came from or if someone has tampered with them. Naturally, this increases the attack surface. 

“The only way to solve these problems is to build a distribution designed for container/cloud native environments,” said Lorenc. 

Wolfi is a container-specific distribution that can “vastly simplify” the process by dropping support for traditional — and often irrelevant — distribution features, he said. It also allows developers to grasp the immutable nature of containers and avoid package updates altogether, instead rebuilding from scratch with new versions. 

“The reality is that software has vulnerabilities and that will never change,” said Lorenc. “And to begin to improve software supply chain security, we must begin where development begins — with developers — and provide tools that make the development lifecycle secure by default, from build to production.”

See also  Vulnerabilities Found In Canon Medical Vitrea View Software

The requirements of a modern software supply chain

Wolfi enables purpose-built Chainguard images that are designed with minimal components to help reduce an enterprise’s attack surface and generate SBOMs at the time of development, said Lorenc. It is completely reproducible by default, meaning every package can be rebuilt from Chainguard’s source code. 

“This means a user will get the same package,” he said. It also allows developers to build images that are, “tamper-proof and trusted.”

The company is producing an SBOM at the start of building software — not after the fact, he pointed out. The base is secure by default, scales to support organizations running massive environments, and provides the control needed to fix most modern supply chain threats. 

“Reverse engineering SBOMs isn’t going to work and will defeat the purpose of them before they can even be used effectively,” said Lorenc. “Wolfi helps to address this problem.”

Chainguard Enforce is also now generally available. The supply chain risk management platform was launched as an early access program in April. It now includes new features such as “agentless” mode, a re-designed user interface with security metrics, SOC2 Type 1 certification, curated security policies and alerting and integrations with CloudEvents, OPA Gatekeeper and Styra, Terraform provider and Vault. 

A more holistic view

All told, organizations should “look more holistically” at software supply chain security, said Norton. 

“Focusing only one dimension of the software supply chain is both unscalable and inadequate,” she said. “All the software supply chain attack vectors are interrelated and interdependent.”

So, in addition to securing independent components of their applications, organizations should lock and guard all digital entry points into their software factories. 

“Securing only one attack entry point is the equivalent of locking the front door of your house while leaving the back door open,” said Norton. 

Organizations must find comprehensive tools that provide protection across the software development lifecycle. Established DevSecOps and application security testing vendors are increasingly incorporating software supply chain security into their larger platforms, so organizations should look to their current partners to understand their capabilities, she said. At the same time, the rapidly growing number of startups attacking this challenge should not be overlooked. 

See also  Latest AirPods Beta Hints at Call Sound Quality Upgrade Coming Later This Fall

Going forward, guidance and regulations from the U.S. government — such as Biden’s Executive Order on Improving the Nation’s Cybersecurity, guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget memos — will continue to be incredibly powerful forces. She credits these as a “significant contributor to how rapidly software supply chain security has become top of mind.” 

“It’s not only software suppliers that sell to the government that are going to be impacted — there will be downstream impacts,” said Norton. “As more software suppliers adopt these standards, non-governmental organizations will expect the same due diligence.”

Education is critical

Further exacerbating the supply chain security issue is a lack of comprehensive education, said Lisa Tagliaferri, Chainguard’s head of developer education. This is a barrier to wider adoption of software supply chain security recommendations, and is due to an “ever-changing technical landscape” and a lack of open-source tooling like Sigstore. 

This prompted Chainguard Academy, which provides free educational resources and recommended practices for software supply chain security tooling. 

“A driving force behind our effort was to provide software engineers and technology leaders the resources they need to be able to identify, mitigate and fix software vulnerabilities through tools and solutions that allow them to address security early and often across their development lifecycle,” said Tagliaferri. 

The Academy builds on the company’s previous educational efforts, including Securing Your Software Supply Chain with Sigstore course in partnership with the Linux Foundation and edX. 

Developers using Chainguard Academy will also be able to work with Sigstore and distroless container images directly from their browsers through an interactive sandbox terminal. 

“We believe that a key part of making the software supply chain secure by default is to help close this skills gap,” said Tagliaferri. “To achieve this goal, it was important that we kept critical educational resources open to everyone because we all have to do our part to help solve the software supply chain security problem.”

Source link

Call chain Measures security software Supply threats
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Bitdefender Total Security review

March 6, 2024

Avast Premium Security review

March 6, 2024

Eset Home Security Ultimate review

January 23, 2024

AVG Internet Security review

October 31, 2023
Add A Comment

Comments are closed.

Editors Picks

Black Hat 2021: Lessons from a lawyer

July 4, 2022

Log4Shell on its strategy to turning into ‘endemic’

July 16, 2022

New turn-based metroidvania game Worldless announced

August 30, 2022

Sex Workers Took Refuge in Crypto. Now It’s Failing Them | Startup

August 8, 2023

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.