CIS Software Supply Chain Security Guide: Beginner’s Handbook

When it comes to software supply chain security, there are a lot of different concepts you have to wrap your head around. However, one thing is for sure; software supply chain attacks have become a dire threat to modern companies. You might have heard of at least one software supply chain attack, even if you didn’t particularly pay attention. One of the most notorious ones, for example, was the Log4j attack, which had a tremendous footprint across companies globally.

In fact, per Gartner’s research, 45% of organizations would have gone through a software supply chain attack by 2025.

While software supply chain attacks are a topic for another day, this article will focus on the SOLUTION perspective instead. CIS (Center for Internet Security), in partnership with Aqua Security, provides a well-structured and free guide for any organization that aims to secure its software supply chain. We’ll walk you through the basics of this Guide, but first, let’s clearly understand what software supply chain security is.

Software supply chain security definition

Defining the software supply chain is the first step to understanding how to secure it. The software supply chain refers to everything involved in the development of an application throughout the entire software development life cycle (SDLC). 

You might also like The Idea Behind DevSecOps.

Why is it important?

Through software supply chain security, organizations can secure the practices, activities, and components involved in software creation, development, and deployment. This has a wide spectrum ranging from development tools, developer activities, deployment infrastructure and methods, and interfaces to third-party and proprietary software code.

software supply chain example

Organizations are responsible for thoroughly securing their software supply chain and providing secure systems to their customers. That’s why a guide like CIS Software Supply Chain Guide is of utmost value. It sets an industry standard for software supply chain security, making it more structured and accessible for any organization looking to deploy software on secure grounds. 

Now that we’ve laid the foundation let’s take a closer look at the Guide.

What is CIS Software Supply Chain Security Guide?

The CIS Software Supply Chain Security Guide was created in partnership with Aqua Security through a consensus review process with global community experts. The Guide is free to download from the CIS website. It outlines the phases of the software supply chain from the time the contributor adds code until the application is delivered to the customer, as shown in the chart below.

With over 100 recommendations, the Guide currently covers five main categories; source code, build pipelines, dependencies, artifacts, and deployment. It’s essential to note that this guide is intended to be generic rather than a platform-wise specific benchmark like CIS Benchmark for Google Cloud Platform.

Who is it for?

The CIS Software Supply Chain Security Guide aims to provide guidance for those who develop, deploy, assess, or secure software updates through automated DevOps pipelines, including DevOps and application security administrators, security specialists, auditors, help desk personnel, and platform deployment personnel.

  • DevOps
  • Security specialists
  • Auditors
  • Help desk personnel
  • Platform deployment personnel
  • Application security administrators

Interested in security frameworks and compliance standards? Check out our free compliance frameworks guide.

5 main categories of CIS Software Supply Chain Security Guide

CIS software supply chain security benchmark categories

1. Source Code

The first category, Source Code, covers security recommendations for organizations to properly manage their source code when developing an application. 

As the source code forms the basis for the entire software supply chain, organizations must protect it from the code itself. It includes misconfigurations, vulnerabilities, sensitive information it consists of, and the platform it is stored on.

Below are the sub-sections for the secure source code management in the software supply chain and rule examples for each to comply with:

Code changes

  • Ensure any changes to code are tracked in a version control platform.

Repository management

  • Ensure all public repositories contain a SECURItY.md file.

Contribution access

  • Ensure inactive users are reviewed and removed periodically.

Third-party

  • Ensure administrator approval is required for every installed application.

Code risks

  • Ensure scanners are in place to identify and prevent sensitive data in code.

2. Build Pipelines

The second category or phase of the software supply chain consists of recommendations for organizations to manage and secure their pipeline components. 

A build pipeline is used to generate Artifacts from the source code. It includes a set of instructions focusing on taking the raw files of source code and running a series of tasks on them to produce some final output, the environment in which they run, their management, execution, and more.

On a side note, this second phase is growingly targeted at supply chain attacks such as the Codecov attack. Therefore, it’s vital to ensure its security.

Build environment

  • Ensure each pipeline has a single responsibility.

Build worker

  • Ensure build workers are single-used. 

Pipeline instructions

  • Ensure all build steps are defined as code.

Pipeline integrity

  • Ensure all artifacts on all releases are signed.

3. Dependencies

The third category addresses the secure management of dependencies which are a huge part of the software build and release process.

A dependency in software development is additional code, code library, or package that is reused in new pieces of software. It helps developers avoid repeating work that is already done and quickly deliver software. Dependencies make up a large portion of the software supply chain since they are comprised of anything that enters the application code or is used by the build pipelines.

The thing is, dependencies are often written by third-party developers, which puts them in a vulnerable position against cyber attacks. An example can be the log4j attack.

Third-party packages

  • Ensure third-party artifacts and open-source libraries are verified.

Validate packages

  • Ensure an organization-wide dependency usage policy is enforced.

Suggested reading: What is Shadow IT and How to Reduce It.

4. Artifacts

The fourth category covers security recommendations for managing artifacts produced by build pipelines and the ones used by the application in the build process.

Artifacts are a kind of byproduct of software development. They are created during development and can be anything from databases, data models, and printed documents to scripts. Artifacts are stored in package registries and need to be secured right from the moment they are created up to the deployment.

Verification

  • Ensure all artifacts are signed by the build pipeline itself.

Access to artifacts

  • Ensure factor authorization to certify certain artifacts is limited.

Package registries

  • Ensure all signed artifacts are validated upon uploading the package registry.

Origin traceability

  • Ensure artifacts contain information about their origin.

5. Deployment

The last software supply chain category is Deployment, which provides security recommendations for organizations that want to secure their management of the application deployment process as well as the configurations, and files that come along the process.

Deployment configuration

  • Ensure deployment configuration files are separated from the source code.

Deployment environment

  • Ensure deployments are automated.

Automating software supply chain security compliance process

The most important thing to keep in mind is that security is an ongoing process. It’s not something you can check off your list and be done with. You must constantly stay on top of it, make improvements when needed, and always watch out for new vulnerabilities that might impact your organization.

That’s why automation is necessary for compliance, and software supply chain security is no exception. As a continuous visibility, security, and compliance solution for cloud services and SaaS applications, Resmo helps organizations automatically and continuously assess their compliance with the CIS Software Supply Chain Security Guide.

How you can benefit

  • Automatically evaluate your GitHub security based on the CIS Software Supply Chain Security Guide.
  • See your compliance score.
  • Monitor activities such as a change in a rule’s status, the reason behind the change, the time of change, and more in real-time.
  • Export your results in HTML or PDF format to use them as compliance evidence.

You can create your Resmo account for free and see how secure your software supply chain is. No strings attached! If you’ve enjoyed this article, feel free to share it with your friends. 

Continue Reading