A 'Golden Pipeline' To Secure The Supply Chain

Uploaded on 2023-03-23 in TECHNOLOGY--Resilience, FREE TO VIEW

Today’s business leaders need to address some key challenges as they forge ahead with digital transformation plans. On the one hand they need to press the fast forward button when it comes to developing software that offers a better or more specialised customer experience, so they can stay on the front foot where market leadership is concerned.

On the other, they need to ensure their software development cycles are robust and secure, because the stakes are high when it comes to supply chain vulnerabilities. 

A growing dependence on the open-source software ecosystem that sits at the heart of modern software development means that software supply chains are increasingly at risk of compromise. Indeed, last year saw a record breaking 742% jump in open source software supply chain attacks perpetrated by cybercriminals looking to exploit malicious code unwittingly introduced into commercial applications. 

To address this threat, organisations need to build immutability and security into their software development pipelines. Templating a ‘golden pipeline’ that will prove reliable time and time again.

Incorporating Security By Default

Under growing pressure to deliver software faster, developers are increasingly reliant on open-source code and other third-party components that enable them to build products and services more rapidly. The problem is this introduces potential vulnerabilities into development pipelines that will likely expose organisations to supply chain attacks.

As a result, building security into the development process has become a top priority for organisations looking to avoid the risk of a supply chain compromise.

This is no easy task when security teams are wrangling multiple tools to try and connect the dots and need to avoid compromising development flows at all costs. We’re seeing that regardless of multiple large investments in development and security tooling, companies still find themselves resorting to manual exports and correlation processes to attempt to extract valuable insights across the different tools. 

To overcome these issues, organisations should incorporate comprehensive and inter-related security testing and validation from the get-go and across their entire end-to-end application development and deployment process. 

The 'Golden Pipeline' Principles – Start Clean, Stay Clean & Store Approvals

By embedding and automating security and enforcement practices across the supply chain, organisations can create a ‘golden pipeline’ that ensures an application is validated at every stage of development. So, by the time it reaches production, it’s as clean as possible – and all known supply chain risks have been eliminated. 

Principle 1 - Start clean:   When it comes to building a golden pipeline, organisations should first aim to start ‘clean’ by integrating auto-triggered periodic scans into their source code management (SCM) system. Designed around a defined policy that triggers specific actions and responses, this will help assure the quality and integrity of existing components, keeping them up to date with a real-time updated vulnerability and risk database. 

Principle 2 - Stay clean:   Next, to ensure their pipelines ‘stay clean’ and are secure-by-default, every new pull request by a developer should activate an automated scan that generates a pass/warn/fail outcome. These results are then notified to developers via the SCM, together with any fix suggestions. 

Principle 3 - Store approvals:   At the build stage a definitive automated scan provides the final audit and seal of approval. If compliant, the component gets the green light and goes into production – accompanied by a detailed software bill of materials (SBOM) and security manifest that provides full visibility into all software components and dependencies. If yes, this is stored in a manageable pane with all other SBOMS, for clear and easy investigation whenever needed. If not, teams gain insights into next actions to take.

By incorporating robust policy-driven controls into the development pipeline, organisations are able to get instant feedback on supply chain risks.

This means vulnerabilities can be caught and fixed the moment they are introduced, and before they reach run time, a stage in the application’s lifecycle where the stakes (and the costs) are much higher.

Counting The Gains

Companies that commit to this golden pipeline reporting approach are able to achieve some significant returns on investment. Alongside protecting revenue streams from the risks arising from application breaches or compliance issues, they’ve benefited in a number of other key ways: 

  • Automating previously manual processes to streamline their programme orchestration and cut the time and cost associated with patching and remediation. 
  • Giving back valuable time and bandwidth to their security and development teams that can be used more productively on other projects. 
  • Consolidating and reducing the number of security tools they need to procure and use – generating further sizeable cost savings that go straight to the bottom line.

In addition to elevating the supply chain defence posture of the enterprise itself, implementing a golden pipeline enables organisations to develop and deploy applications faster. Generating efficiencies along the way that will make a lasting contribution to the long term sus

Nurit Bielorai is Go-To-Market Manager, Supply Chain Security at Aqua Security

You Might Also Read: 

Which CI/CD Tools Can Promote Supply Chain Security?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cybersecurity Is No Longer The Sole Responsibility Of IT Specialists 
DoppelPaymer Hackers Caught »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Lockton

Lockton

Lockton is the world’s largest privately owned insurance brokerage firm. Commercial services include Cyber Risk insurance.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Lineal Services

Lineal Services

Lineal supports clients in meeting their digital forensics, cyber security and eDiscovery needs by providing bespoke solutions to complex problems.

Fingent

Fingent

Fingent develops strategic software solutions for businesses across the globe in areas including Network Security, Infrastructure Security, Application Security, Risk and Compliance.

101 Blockchains

101 Blockchains

101 Blockchains is a professional and trusted provider of enterprise blockchain research and training.

Fend

Fend

Fend secures smart infrastructure. We provide a robust, highly secure way to have situational awareness of IoT enabled assets.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

TokenEx

TokenEx

TokenEx Cloud Security Platform protects sensitive data to strengthen our clients' security postures while future-proofing their operations.

Radiance Technologies

Radiance Technologies

Radiance solutions provide technological advantage and operational superiority for our nation in the areas of intelligence, cyber and advanced weapon systems.

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group) is a USA based digital transformation company with expertise in Mobile, Cloud, Web, IoT, AR, RPA, Cyberseurity and AI Technologies.

CardinalOps

CardinalOps

The CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing detection stack so you can easily implement a threat-informed defense.