CIS Benchmarks Software Supply Chain Guide

The need for continuous digital transformation is breaking all records with organisations crumbling under constant duress to deliver better, faster and more efficient applications.

Throw in the mix, consistent pressure for growth of customer base, recurring revenue, exceeding shareholder expectations and there is no margin left for human error or manual processes.

This unprecedented increase in demand for always on, always available services means organisations need to act with agility, scale their services on demand and constantly innovate to maintain a competitive advantage.

This has given birth to a DevSecOps culture (when development, security and operations teams combine) where applications, infrastructure and security solutions are delivered and deployed as code through Continuous Integration Continuous Delivery/Deployment (CICD) pipelines (similar to large automated factory assembly lines) in order to automate and minimise the manual processes whilst removing the human error factor.

It is this process and it’s dependencies that forms the software supply chain.

Example of a software supply chain.

The Problem: Software Supply chain Integrity is compromised.

As organisations automate their build and delivery processes they often look to the public cloud to feed their compute and storage needs due to the benefits and economies of scale.

This explosion in public cloud adoption which allows organisations to grow their technology footprint on demand also inadvertently increases their threat landscape. Due to the sheer scale, volume and complexity of the resources and services (call it moving parts of the machinery) involved, cloud has become the new battle ground for cyber warfare.

We now see extremely advanced and offensive tactics being used often by state sponsored actors for gaining a competitive edge or attack critical infrastructure.

Broken Trust

Exploiting the software supply chain is an attack tactic that has the most dramatic impact as it uses trusted parties as a medium for compromising their customer organisations.

In such an attack, threat actors infiltrate (often by exploiting misconfigured or vulnerable cloud resources) the software supply chain through a trusted entry point (trusted partner solution, credible open-source dependencies, base application images or packages etc;) thus gaining a foothold, giving them the ability to attack; at will, any organisation using the compromised solution down the line.

We have already seen attacks like these which have caused massive damage to brand reputation, revenue and existence of all organisations involved.

Here are a couple of memorable examples:

💥 SolarWinds supply chain attack:

In the SolarWinds attack, adversaries were able to compromise the supply chain and distribute trojanized updates (malicious software code updates appearing as credible updates) with backdoor access built-in to gain access and compromise the end user organisations of SolarWinds solution. Amongst the list were top Fortune 500 companies.

As these updates were distributed using a trusted channel (from the software vendor themselves) and were digitally signed for credibility, they were trusted and installed by organisations across the globe without hesitation, leaving them exposed without their knowledge.

💥 Codecov supply chain attack:

In the Codecov attack, adversary group were able to exploit a misconfiguration to gain access to sensitive data (credentials in this case) that was then used to update a single line of code hidden on line 525 in a approximately 2000 lines of code artifact hosted on Github.

Malicious code hidden on line 525 where it’s extremely hard to find.

This information would have been hard to find even if one knew it was there but the fact this was a malicious act, makes it as sinister as it gets.

Gaining access to the codecov supply chain allowed adversaries to ultimately gain access to the source code of all their customers, harvest further sensitive information and execute further attacks in a snowball effect.

Calling this a nightmare would be an understatement.

The Solution : Bring Integrity into the supply chain.

The only way to fix this problem is to bring back integrity into software supply chain through security guardrails and a zero trust model.

Build integrity into every part of the software supply chain through zero trust.

It is imperative that security controls are introduced to perform checks at every gate of the supply chain process to ensure integrity of the source code, the build pipeline, it’s components and dependencies, along with the deployment process and delivery artifacts.

This would cement the shift-left approach (so the issues are picked up as early as possible) but also ensure that any dependencies and third party components are not taken at face value rather put through a zero-trust model to ensure complete due-diligence is carried out.

Thought Leadership from Center of Internet Security (CIS) and Aqua Security

Software (application) development lifecycle (SDLC) processes have followed the wild-west approach where security has been an afterthought to speedy delivery and race to market, however the above mentioned supply chain attacks have more than highlighted the criticality and the need to ensure security is part of the design in the development and delivery process.

Unfortunately, until now there had not been any formal templates that provided a best practises framework for software supply chain security.

Aqua Security and CIS collaborate to publish industry’s first ever CIS Benchmarks for Supply Chain Security guide.

As leaders in the space, Center of Internet Security (CIS), in collaboration with Aqua Security (leading cloud native security vendor), have released a benchmarks guideline to serve as a framework for the security of software supply chain processes and toolset.

CIS Benchmarks are regarded as the undisputed standard for security best practices for Information technology industry, hence security experts across the globe recommend compliance with the CIS Benchmarks as a minimum baseline that every organisation must adhere to.

While CIS benchmarks are generally technology specific (e.g. CIS benchmarks for Docker, benchmarks for Kubernetes etc) this guide provides the structure needed to form future benchmarks and security controls specific to tools that make up the software supply chain (e.g. CIS Benchmark for GitHub).

This guide goes as far as defining a new framework along with security controls and guardrails that should be implemented to ensure integrity of the Software supply chain.

Currently the framework consists of 100+ recommendations organised into the following five main categories:

Security GatesSecurity Control Categories
1. Source Code– Code Changes
– Repository Management
– Contribution Access
– Third Party Access
– Code Risks
2. Build Pipeline– Build Pipeline
– Build Worker
– Pipeline Instructions
– Pipeline Integrity
3. Dependencies– Third Party packages
– Validate categories
4. Artifacts– Artifact Verification
– Access to Artifacts
– Package Registries
– Origin Traceability
5. Deployment– Deployment Configuration
– Deployment Environment

Chain-Bench from Aqua Security

Aqua Security has released an open-source solution called chain-bench to allow development teams to audit their supply chain stack for security compliance based on this new CIS Software Supply Chain benchmark.

Chain-bench from Aqua Security allows developers to check for supply chain security issues.

The tool focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.

To win against hackers, protect sensitive data and customer trust; development teams can use chain-bench to ensure their code is compliant with their organisation’s policies and security best practices.

However, point solutions only target a small part of a much bigger security problem and do not scale in large environments.

Aqua Security – Platform Difference

Although Aqua Security is extremely popular amongst developers due to an extensive list of open source contributions like trivy, kube-bench, tfsec, chain-bench etc; but the true value of what Aqua has to offer must be witnessed through its fully integrated cloud security platform.

Aqua’s mission statement is to stop cloud native attacks, which can only be achieved when organisations go beyond simple Risk Management mindset (planning for only the known risks) to Real Runtime protection in order to stop advanced attacks through a solution powered by behavioural detection, Indicators of compromise (IOC) and response workflows based on real-world attack analysis.

Risk Management (GREEN) only targets the known risks Vs Runtime protection (RED) focuses on both known and unknown risk.

Aqua implements this vision by incorporating security by design into every aspect of the cloud footprint, giving customers an integrated platform that can not only visualise, detect and remove vulnerabilities, misconfigurations, malware alike from source and infrastructure but also correlate and mitigate associated risks (including unknown zero day threats) from running workloads in real time without causing business impact.

With Aqua platform, customers can Trust the integrity of their code, harden their infrastructure and STOP attacks by protecting workloads in runtime for complete 360 degree coverage.