Security around building and deploying applications is more critical than ever. As such, it is also just as important to understand what comprises the applications your developers are building and where they are coming from. This is the mentality behind a trusted software supply chain. The ability to code, build, and monitor your applications through proven platforms, and get artifacts from trusted sources are imperative to building safer, and more reliable applications. One of the important aspects of this is the Software Bill of Materials (SBOM).
What is an SBOM?
A Software Bill of Materials functions as an inventory with layers, containing a comprehensive collection of elements that make up software components. This information can be used to ensure the elements used to build an application have verified origins. Information in an SBOM includes Component Name, Version, License Information, Origin/Source, Dependencies, and a Hash/Checksum.
A great analogy with this can be made with a restaurant. The base ingredients for a dish can be compared to libraries and other dependencies an application may have. When the chef (dev) knows where an ingredient came from (origin/source) and when it was picked (version), he can more easily know if the ingredients are spoiled (vulnerable) and avoid using them in his soup (application), protecting the diners (users) and the restaurant (organization) from health code violations (exploits/intrusions/loss of data).
This information can help lower the risk of a supply chain attack.
What is a supply chain attack?
A supply chain attack is a type of cyberattack that targets the interconnected set of resources and processes involved in producing and distributing a product. Instead of directly attacking the target organization, the attacker focuses on compromising a third-party vendor or service provider within the supply chain. By doing so, the attacker can exploit the trust and access that the compromised supplier has with the target organization.
Supply chain attacks can take various forms, and often involve malicious code or hardware being inserted into the products or services being supplied. These attacks could include malware embedded in software updates, malicious components added to hardware, or other methods to compromise the integrity of the supply chain.
One example of such an attack came to light in December 2020. The attackers injected a malicious backdoor, known as Sunburst, into the software updates of a widely used computer network management and monitoring platform. The primary targets of the Sunburst attack were the platform's customers, which included numerous government agencies and large corporations. The attackers gained unauthorized access to the networks of these organizations by exploiting the trust in the compromised software's updates. This attack had a significant impact; however, had SBOMs and Vulnerability Exploitability eXchange (VEX) solutions been in place at this organization, it could have been possible to mitigate the attack as there would have been a way to detect the backdoor within the application's update preemptively.
In Red Hat's State of Kubernetes security report for 2023, more than half of the respondents indicated that they had experienced a software supply chain issue related to cloud-native and containerized development in the preceding 12 months.
The software supply chain is under real threat, so what can we do about it?
Red Hat Trusted Profile Analyzer
Red Hat has consistently been mindful of security, and as cloud-native technologies become more and more prevalent in the modern world of IT, we continue to focus on making sure we can bring ways for our customers to make their workloads more secure. Red Hat Trusted Profile Analyzer is now in tech preview. Using the open source projects SYFT and GUAC, Trusted Profile Analyzer is designed to enable Red Hat customers to track their software components across the build and deployment of their applications (Figure 1).
With Red Hat Trusted Profile Analyzer, you can get actionable insights from all your software assets to enable your security professionals to manage applications' risk profile of direct and transitive dependencies, track exploitable vulnerabilities, measure the potential blast radius of threat, and create an incident response framework to avoid security incidents appearing in production workloads. In real time, your application developers can access transient dependency and vulnerability reports to understand the level of risk on existing source code and solve issues before they happen. They can also access reusable trusted content, helping to reduce vulnerabilities during development and minimize security risks at production.
The DevSecOps and CISOs of your organizations can more easily meet compliance requirements, have increased confidence when using open source software in production applications, and assess the level of exposure and risk profile for an application. The use of trusted content lets developers be productive, increase software transparency, and define an incident response framework to reduce the risk of security incidents in production workloads.
Red Hat Trusted Profile Analyzer enables you to gain and take advantage of deeper insights into the security of your applications. It is available as a tech preview, so we invite you to kick the tires and see how you can boost your app-dev security.
Learn more about Red Hat Trusted Profile Analyzer here.
