Cloud7 is gathering opinions of the important names in the cloud, web hosting, cybersecurity, Linux, and other industries for 2022 in the Cloud7 Expert Series. Alongside their evaluations of 2022, they will share their expectations for the next year, 2023.
Sarwar Raza, Vice President and General Manager of Cloud Services at Red Hat, is currently responsible for the company’s cloud services portfolio and business unit. He holds a Bachelor’s degree in computer science and economics from Clark University and a Master’s in computer science from WPI. He previously worked for Totogi, Amazon Web Services, and Hewlett Packard Enterprise.
Securing your software supply chain in 2023
Over the next year, establishing secure software supply chains will emerge as a top priority for DevSecOps teams and security teams. According to the Red Hat 2023 Global Tech Outlook, IT leaders are focusing on security, with network security (40%) and cloud security (38%) as the clear leaders. Software supply chain security combines best practices from risk management and cybersecurity to help protect the software supply chain from potential vulnerabilities, such as hijacking updates, undermining code signing, and compromising open source code.
Everything that touches an organization’s code in the software development lifecycle, from application development to deployment, is a part of the software supply chain. Designing a secure software supply chain with a DevSecOps mindset is crucial. DevSecOps is a culture, automation, and software design approach that integrates security as a shared responsibility throughout the entire IT lifecycle. Selecting the right tools to continuously integrate security– like agreeing on an integrated development environment (IDE) with security features– can help meet these goals.
When considering implementing a secure software supply chain, businesses should implement a security blueprint that includes the following:
- Know your suppliers: Businesses should be familiar with who they work with, starting with tier-one suppliers. Conduct risk assessments to evaluate each supplier’s cybersecurity posture and public policies on vulnerabilities and regularly scan for vulnerabilities.
- Embrace Software chain Levels for Software Artifacts (SLSA): This enables developers to digitally sign software artifacts to authenticate provenance and leverage automation for processes and policies.
- Automated security testing tools: Routine scans with automated security testing tools such as Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).
- Industry-wide communication: When major vulnerabilities occur, the industry needs to be more proactive in reporting these flaws. Organizations should encourage developers to contribute to open-source projects and to speak up when security issues are discovered.
Improper security implementation can impact the business by delaying important releases in order to address issues found later in the software life cycle or by losing security fixes that were only applied to running workloads. Software security is a shared responsibility and missed best practices by end users often lead to security failures. Building security into the software supply chain positively impacts other areas of the business, such as application development. When you bake security into the core of your software infrastructure, your teams are empowered to focus on business-critical initiatives and innovation.