Tip

Top 4 source code security best practices

Software supply chain attacks are on the rise. Follow these source code best practices to protect both in-house and third-party code.

Software supply chain attacks, such as SolarWinds and NotPetya, have made headlines in recent years. In such attacks, a vendor's source code is compromised and used against the vendor's customers.

The chances an organization is hit by one of these attacks is skyrocketing. Software supply chain attacks increased by 430% in 2020 and 650% in 2021, according to Sonatype Inc.

To mitigate software supply chain attacks and prevent compromise and bad publicity, it is important to follow key source code security best practices for code written by both in-house developers and third parties.

1. Acquire secure external source code

Verify the legitimacy of all source code acquired from third parties, whether for internal use or if planning to bundle it with products or services. Only download source code from authoritative websites and use integrity-checking measures, such as verifying cryptographic hashes. Rely on automation to avoid human error, such as typing a URL incorrectly or forgetting to compare cryptographic hash values.

2. Protect source code access and storage

Store source code in well-secured code repositories. Only grant the necessary permissions to people, applications and services, and be especially careful about permissions to enable source code modifications. Authenticate each repository user with modify permissions -- human or not -- and configure repositories to keep audit logs of all changes. Require developers to store all third-party source code in the code repositories.

3. Analyze source code

Whether you write or acquire your source code, use static analysis tools to scan for vulnerabilities and malicious code. Don't just scan the code when it gets acquired. Have tools that scan frequently, if not continuously. While tools can do most of the work, people should review and investigate what the tools find. Ensure your incident response plans and processes are prepared to handle the discovery of malicious code.

Source code security is only one aspect of secure software development. Check out secure software development resources from NIST, SAFECode and BSA that recommend security practices throughout the entire software development lifecycle.

4. Identify source code components

The security and software development communities increasingly recognize the importance of knowing what source code components are in the software used and acquired by enterprises. Be on the lookout for announcements about new vulnerabilities in these components. Knowing about these vulnerabilities will help security teams mitigate new threats more quickly.

Source code is increasingly coming with a software bill of materials, which lists its components. Alternatively, security teams could employ tools for source code composition analysis to help identify any third-party components in use.

Dig Deeper on Application and platform security