Software supply chain cybersecurity. The term has become a watchword for federal agency technology and security people. They have increasing awareness of the dangers lurking in the components of the commercial software they buy and use. That, coupled with specific policy requirements in the administration’s Executive Order 14028, has made ensuring the safety of the software supply chain a top concern.
Ever-increasing use of commercial cloud computing lengthens the supply chain by adding software as a service options and utility services from cloud providers to help agencies manage their own applications hosted in the cloud.
“Cloud gives us a lot of opportunity — the scalability and, of course, the speed,” said Brandon Gulla, vice president and chief technology officer at Rancher Government Solutions, a value-added Kubernetes distributor. Until now, security sometimes came in as a third factor, he said. “Now, security is properly coming into the consideration more than ever.”
Evolution of DevSecOps and SCRM
Both software providers and in-house development teams increasingly incorporate safe practices at the coding level, during the scrum cycles in development, security and operations (DevSecOps) processes. That’s a critical piece of addressing software supply chain risk management (SCRM).
“Unfortunately, we’ve seen our adversaries and attackers do the same thing. And while they are fortifying their attack methodologies, they’re also shifting left toward the actual creation supply chain of the software,” Gulla said.
Therefore, agencies should ask suppliers for all the binary assets needed for observability of the innards in a software component, he advised. “It’s up to us as a software vendor — and to software vendors around the world — to make that information available to end customers and users alike.”
Rancher Chief Architect Adam Toy added that the company practices what it preaches. Rancher has developed Carbide, a service that provides SCRM for Rancher software components.
“We’ve built out an entire software pipeline to provide security images, not only for the Carbide stack itself but the entire supporting Rancher product portfolio,” Toy said. “What these pipelines are doing is scanning each individual image of each one of those products to produce a software bill of materials, as well as vulnerability assessments.”
SBOMs, matched against vulnerability assessments and digitally signed, yield the required observability into the provenance of software, such as who built it and the integrity of how it was scanned, he said. In short, the SBOM provides the details about whether a piece of software is safe for use.
Moving toward iterative security
SBOMs and assessments require continual updating because software is continually patched, gains new functions and acquires new vulnerabilities, Gulla said. Connecting an application to a new database can result in new dependencies, which can in turn produce new vulnerabilities. Therefore, he recommended that security teams in government need to focus on SBOMs not just when they are received but also to consider what happens on Day 2 and beyond.
“In reality, security is iterative and layered in every step of the journey,” Gulla said. This means an IT organization must ensure that security built in initially doesn’t get left behind.
“Many software packages have hundreds or thousands of dependencies,” he said. “They’re layered, much like the infrastructure that we see today. Operating systems, Kubernetes environments or container runtimes, the applications on top of that: you have to have an inheritable security model all the way up and down the stack.”
In response, Rancher developed called Stigatron, a capability derived from the Defense Information Systems Agency Secure Technical Implementation Strategy (STIG). Rancher has a DISA STIG for its Kubernetes product.
Toy described Stigatron as a tool within Carbide to automate real-time scans and analysis of Rancher’s RKE2 Kubernetes Cluster. It’s designed “to ensure that RKE2 is always within those compliance guidelines of the STIG.” Stigatron also gives administrators feedback on what to do if a cluster falls out of compliance. It also can export scan results for use in third-party assessment systems and by assessor organizations, Toy said.
Gulla added, “We’ve built Stigatron to interface with the existing corporate infrastructure and scanning capabilities that are already in production and accredited by these organizations.” He said Rancher took open source approach because it doesn’t want to be anyone’s exclusive security partner.