Today’s software development needs to take a comprehensive approach to be secure. Security needs to be considered at every step of the software supply chain.
“Anything you consider safe could be under threat,” said Nuno Seixas, chief operating officer of GBH, a technology consulting company. “We need to evolve all different security strategies to address different parts of the pipeline.” Seixas spoke last month at the ISACA Conference North America 2022 about streamlining supply chain security.
Why should you care? Because software supply chain risks have increased. Attacks like the one that compromised the SolarWinds Orion software supply chain emphasize how big the problem can get. Also, the software supply chain has increased in both the number and complexity of components (e.g., infrastructure, code base, dependencies, build tools, data, models), and each of these components is now a possible attack vector.
Seixas said Capability Maturity Model Integration (CMMI), a process level improvement training and appraisal program, can help organizations improve security across the software supply chain by following basic concepts, such as configuration management, sustainable process and practices, and monitoring and taking correction actions.
Organizations face a litany of security challenges in their software supply chain. Seixas outlined examples of these challenges and how CMMI could help:
The challenge: Security must be understood as an organizational need and upheld by everyone.
CMMI Practice Area: Governance (GOV 2.1)
In other words: Security should have a holistic approach, starting from a top-down strategy definition and then a bottom-up for implementation. The whole organization needs to see security as an important driver for all business initiatives.
CMMI Practice Area: Implementation Infrastructure (II 2.2)
In other words: Update all meaningful processes, not just engineering ones. Security needs to be integrated in every step of the software development lifecycle.
The challenge: Apply security to the whole supply chain, not just to production environments
CMMI Practice Area: Enabling Security (ESEC 3.2)
In other words: Security approach needs to span the whole supply chain, integrating different needs from different pieces. Each component on the supply chain needs to be analyzed and addressed as a possible attack vector.
CMMI Practice Area: Configuration Management (CM 2.2)
In other words: CM needs to be extended to ensure integrity for the whole supply chain. Each one of the supply chain components need to be part of the configuration management system, defining and monitoring the integrity of them without any exception. A complete configuration baseline needs to integrate all these different components.
The challenge: Think of security as by design—Security Shift Left
CMMI Practice Area: Enabling Security (ESEC 3.1)
In other words: There needs to be a capability in place to analyze security needs and translate them into requirements and design solutions.
CMMI Practice Area: Technical Solutions (TS 3.4)
In other words: Security needs to be considered as an important criterion in every critical design decision. Technical solutions are to be defined also based on security requirements. Security needs to stop being only an afterthought.
The challenge: Plan and monitor security efforts
CMMI Practice Area: Planning (PLAN 3.3)
In other words: Security drivers and stakeholders become a critical dependency for everyone and need to be addressed explicitly.
CMMI Practice Area: Managing Security Threats and Vulnerabilities (MST 2.4)
In other words: Be constantly evaluating what’s working and what new measures need to be put in place as the threat landscape changes.
The challenge: Spread security knowledge across the organization, not just the security team
CMMI Practice Area: Organizational Training (OT 3.4)
In other words: Develop an awareness of security with everyone; it needs to be a focus for every team member.
CMMI Practice Area: Governance (GOV 3.2)
In other words: Executives need to make sure everyone in the company is involved and focused on security.
The challenge: Treat security events as learning events
CMMI Practice Area: Managing Security Threats and Vulnerabilities (MST 3.2)
In other words: Practices need to adapt to new threats and vulnerabilities constantly.
CMMI Practice Area: Managing Security Threats and Vulnerabilities (MST 3.3)
In other words: The security system needs to be monitored constantly, and teams need to learn in a fast-paced environment.
In the end, it’s important for organizations to recognize that vulnerabilities are constantly changing and can exist across the entire supply chain, Seixas said. Security needs to be part of day-to-day operations and everyone’s responsibility for it to be effective.