SolarWinds, GitHub Leaks and Securing the Software Supply Chain

Written by BluBracket

The massive cybersecurity breach from SolarWinds by now has reached everyone in our industry’s attention. It’s a truly wide-spread and dangerous breach that, at least from what we know now, is an example of two trends in cybersecurity that frankly need more attention by any company writing code.

1. Code as an attack vector.
2. The need to secure the software supply chain.

While there are many complex mechanisms involved with this incident, let’s look at what companies should be doing today in these two areas to hopefully prevent these types of breaches in the future.

1.Code as an attack vector.

Turns out this may have started with a secret exposed in GitHub.

GitHub has become a fertile hunting ground for hackers. With the credential for their FTP server found in code, it may have been a way for the hackers to infiltrate and upload the malicious files. From these reports, it sounds as if a common GitHub misconfiguration was to blame (marking a repo public when it shouldn’t be) and then hardcoding secrets into the code. Both are very common. So common, we have an early release of our Community Edition which allows anyone to find secrets in code quickly and easily, and for free.
Git security is no different than cloud security, where the majority of security vulnerabilities are due to misconfigurations.

1.The need to secure the software supply chain.

Besides secrets, code is of course an attack vector when malicious code is inserted into the supply. This can be done through open source or in this case by accessing repositories or update mechanisms and injecting lookalike code.

As more code drives production infrastructure, the need to understand who has access to repositories and what exactly is in them becomes ever more critical. Tampering with the repositories themselves becomes a major threat to every company writing code, which today is virtually everyone. A focus on code integrity is a must.

Every company needs to have a complete and detailed BoM and chain of custody of their software. This obviously isn’t just around open source risk. As was the case with SolarWinds, inserting malware upstream that goes undetected is a devastating tactic. Given the nested nature of applications today and how code is driving software production, code integrity is not an easy task to solve, but investing in code insight and integrity tools has become a must-have for any company serious about security.

We recently participated in a panel discussion on securing the software supply chain with Jim Zemlin, executive director of the Linux Foundation and Aparna Sinha, director of product at Google Cloud. In this clip, Jim talks about the need for software composition analysis and developer ID attestation:

Here’s a quick checklist on securing your code:

• Run a secrets calling tool on all code repositories that includes active monitoring.
• Develop a robust code composition analysis strategy with detailed BOMs and chain of custody for your code.
• Search for your code in public Git repositories. If your code ever had secrets, finding one example means there are many more out there.
• Invest in tools to monitor code integrity and Git misconfigurations.
• Create a “shift left” culture in your organization where everyone is responsible for security throughout the organization and arm your developers with lightweight tools they can use to keep code safe.

We think undoubtedly this breach will bring new attention to code security, specifically around software integrity. As more sensitive information finds its way to code, there will be new emphasis on access and active monitoring. The key will be taming the security risks without slowing down the pace or innovation.

If you’d like a consultation on secrets, Git misconfigurations or software integrity, please contact us and we will help in any way we can.