Software supply chain security has largely remained an afterthought until the disastrous SolarWinds hack in 2020. The incident didn’t just affect thousands of private agencies but also several government agencies. In brief, the hack was due to a basic error of not changing the admin password regularly, which gave attackers an opening to inject malicious code into the supply chain. Further, the code remained undetected through the development cycle and was included in the software updates distributed to all the clients of SolarWinds. The attack was so sweeping that the US Government introduced an Executive Order mandating companies to secure the software supply chain.
Software Supply Chain Security
Open source code is a necessity in today’s world of software development with every application containing multiple code and components borrowed from third-party open source projects. Your software supply chain is essentially everything that goes into building your software – code, binaries and components, and related information like license information, known vulnerabilities, and contributors. Although these open source components come with known and disclosed vulnerabilities, developers tend to overlook them. This opens up your application to unwanted risks.
About 99% of codebases contain open source code, according to the 2022 Open Source Security and Risk Analysis Report. Further, the report claims that open source code accounts for about 85% to 97% of your application. This should give you an idea of how important open source is to modern application development. Considering this, it is essential to have robust security measures to protect your application from threats due to open source.
GitLab’s Features for Software Supply Chain Security
Managing security risks concerning the software supply chain is all about understanding and maintaining your application dependencies. GitLab offers a list of features and tools to help you identify the open source components you use, detect vulnerabilities, and resolve any security issues.
Static Application Security Testing (SAST)
To detect any risky class attributes or unsafe code, you can execute a Static Application Security Testing (SAST) scan for your source code. The pipeline analysis is compared with the target branch’s analysis and the results are listed in the order of vulnerability. The SAST analysis also detects any vulnerability that could expose your project to cross-site scripting attacks. The results are listed in the Security Dashboard.
With GitLab, you can run different scanners to ensure that no part of your project is left unreviewed. The two scanning methods that are available to you are:
1. Dependency Scanning
GitLab offers the capability of scanning your code or application to detect security vulnerabilities in your dependencies. It highlights if you’re using any external dependency and the kind of risks it poses. Further, Dependency Scanning adopts multiple approaches depending on the language and package manager of your application.
2. Container Scanning
As Dependency Scanning cannot identify software dependencies pre-bundled in a container, you can use the Container Scanning feature. With this, you can scan your containers for any dependency vulnerabilities along with language dependencies. However, you might see duplicate results between container and dependency scanning.
Infrastructure as Code (IaC) Scanning
Infrastructure as Code (IaC) Scanning helps you in detecting known vulnerabilities in your IaC configuration files for Terraform, Kubernetes, AWSCloudFormation, and Ansible. IaC Scanning detects project language and executes the scanning automatically. You can run IaC Scanning in the testing stage with GitLab Runner with a Docker or Kubernetes executor.
Dynamic Application Security Testing (DAST)
To ensure that your application remains secure in a new environment, you can execute Dynamic Application Security Testing (DAST). DAST identifies any known vulnerabilities in deployed environments that might not be detected from the source code. It uses OWASP Zed Attack Proxy to analyze the environments and reports the detected vulnerabilities.
Once the results are produced after enabling security scanners, all the identified vulnerabilities are listed in the Security Dashboard. It displays the results of the most recent scan, which is executed only when the default branch is updated. You must include lock files in your project to reduce the number of false negatives generated.
Your Security Dashboard also reports any secrets that were committed to a Git repository. Secret Detection identifies and reports when sensitive information like keys, tokens, and passwords is found in the repository. It uses Gitleaks to execute scanning based on the default ruleset of over 90 secret detection patterns.
After you read the vulnerability report, you can take several steps as a follow-up action:
- Confirm finding: You can create a new issue and set an appropriate priority.
- Dismiss vulnerability: You can dismiss the vulnerability in case it is resolved or accepted or a false positive. You can leave a comment as well.
- Auto-remediation: You can automate the vulnerability resolution with a ready fix available.
- Links: You can get more details of the vulnerability from the associated link to an external source.
GitLab Security Framework for Software Supply Chain Security
In addition to the above-mentioned features and capabilities, GitLab has formulated a five-part framework to ensure the industry standards of securing the software supply chain. Below listed are the five aspects and the features that GitLab currently has under them:
Features to ensure both internal and external sources are secure and free of vulnerabilities and other risks.
- Version Control & Code History
- Developer Identity Verification
- Two-Person Code Review
- Branch Protection & Approval Rules
- Limited Maintainer Access
- Code Scanning
- SCA Scanning
Features to give you a secure and isolated build environment.
- Support for Scripted Builds from Code
- Secure & Isolated Build Environment
- Support for Hermetic Builds
Provenance & Signing
- Release Evidence Generation
- SBOM Generation
Features to safeguard underlying host infrastructure and validate if the executed binaries are genuine.
- Validation & Verification of Source Machine Identities
Continuous Workload Protection
- Workload Scanning
4. Management Process
Tools and processes to ensure software supply chain compliances are maintained. All the features under the Management Process are a part of GitLabs’ vision and are yet to be introduced.
5. Tool Security
Best practices to sort security of underlying tools.
- Threat Detection
With the majority of your codebase featuring open source dependencies, implementing measures to secure your software supply chain becomes crucial. Although rare, software supply chain risks are real and can cause significant damage to your revenue and reputation by opening up your software to a variety of attacks. The first step towards securing your software supply chain is patching these vulnerabilities. Enabling GitLab’s security functionalities can automate vulnerability management and secure your software.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.