The recent SolarWinds supply chain attack has made software teams question the security of software development, deployment, and its use. The rapid shift to remote and hybrid work models has resulted in widespread cloud technology adoption across all sectors. Organizations must now consider the vulnerabilities and risks they will be exposed to. In this article at InfoQ, Jonathan Hunt explains how DevSecOps helps secure your supply chain in a multi-cloud threatscape.
Importance of DevSecOps
According to studies,
- The attacks on software supply chains increased by 430% in 2020.
- Nearly 47% of companies found out about open-source supply chain vulnerabilities only after a week.
- 11% of open-source application components have at least one known security vulnerability.
Security is something that no organization wants to compromise on. With DevSecOps, enterprises can better protect themselves. Additionally, companies must also practice good cyber hygiene and strengthen risk management strategies with third-party vendors. Furthermore, a strong DevSecOps creates a barrier against supply chain attacks and offers proactive approaches to avoid potential threats.
Securing Supply Chain With DevSecOps
Think Beyond Software Applications
DevSecOps must think beyond the user interface and product features. It must focus on:
- Developing a comprehensive security strategy—including information about the security tools to address all the activities involved in the software supply chain
- Crafting a threat-defense model by getting a holistic view of suspicious user activities, policy violations, and organizational data-related risks
Focus on Sourcing
The DevSecOps teams must:
- Check for compromised software-building tools
- Identify if there is any pre-installed malware in components
- Look for digital signatures
Follow the Best Practices
The DevSecOps team must follow the best practices of software coding and quality assurance. They must:
- Persistently update infrastructure
- Introduce secure API gateways
- Run automated tests and dependency checks at every stage
To read the original article, click on https://www.infoq.com/articles/devsecops-supply-chain/.