Software supply chain attacks, such as SolarWinds and NotPetya, have made headlines in recent years. In such attacks, a vendor's source code is compromised and used against the vendor's customers.
The chances an organization is hit by one of these attacks is skyrocketing. Software supply chain attacks increased by 430% in 2020 and 650% in 2021, according to Sonatype Inc.
To mitigate software supply chain attacks and prevent compromise and bad publicity, it is important to follow key source code security best practices for code written by both in-house developers and third parties.
1. Acquire secure external source code
Verify the legitimacy of all source code acquired from third parties, whether for internal use or if planning to bundle it with products or services. Only download source code from authoritative websites and use integrity-checking measures, such as verifying cryptographic hashes. Rely on automation to avoid human error, such as typing a URL incorrectly or forgetting to compare cryptographic hash values.
2. Protect source code access and storage
Store source code in well-secured code repositories. Only grant the necessary permissions to people, applications and services, and be especially careful about permissions to enable source code modifications. Authenticate each repository user with modify permissions -- human or not -- and configure repositories to keep audit logs of all changes. Require developers to store all third-party source code in the code repositories.
3. Analyze source code
Whether you write or acquire your source code, use static analysis tools to scan for vulnerabilities and malicious code. Don't just scan the code when it gets acquired. Have tools that scan frequently, if not continuously. While tools can do most of the work, people should review and investigate what the tools find. Ensure your incident response plans and processes are prepared to handle the discovery of malicious code.
4. Identify source code components
The security and software development communities increasingly recognize the importance of knowing what source code components are in the software used and acquired by enterprises. Be on the lookout for announcements about new vulnerabilities in these components. Knowing about these vulnerabilities will help security teams mitigate new threats more quickly.
Source code is increasingly coming with a software bill of materials, which lists its components. Alternatively, security teams could employ tools for source code composition analysis to help identify any third-party components in use.