Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
2022: Software Supply Chain Security Hits Containers Head On
By John Amaral, founding
CEO of Slim.AI
Looking back, 2021 will be known as the year
that software supply chain security
emerged from a wonky RSA topic into something that's at once urgent and poorly
understood. We started the year reeling from the SolarWinds breach, "IT's Pearl Harbor." The
attack by Russian operatives spread a virus to 18,000 government and private
networks. Then in April, Reuters reported a breach at Codecov. In July,
a ransomware gang known as REvil compromised IT management platform Kaseya VSA
and demanded a $70 million payment after reportedly encrypting the data of more
than 1,000 downstream organizations. And most recently, the Log4Shell
vulnerability gave us the ugly Christmas sweater no one wanted, ruining the
holiday shopping weekends of many DevOps and DevSecOps teams as they rushed to
find and patch this ubiquitous Java library.
What these three incidents had in common was
that hackers were able to infiltrate the infrastructure of major enterprises
and US government institutions by embedding malicious code in third-party
software. And as a result, software supply chain security became a topic no CIO
wanted to be caught unprepared to discuss.
The IT ecosystem has been placed on "full
alert." And with good reason. According to ENISA (the European Union Agency
for Cybersecurity) 66% of attacks that occurred between January of 2020 and
July of 2021 focused on the supplier's code and software supply chain,
exploiting the trust that customers put in their suppliers to distribute their
attacks or malware. ENISA estimated that by the end of 2021, supply chain
attacks will number more than four times that of 2020.
Underscoring the urgency is a
Gartner report projecting that "by 2025, 45% of
organizations worldwide will have experienced attacks on their software supply
chains, a three-fold increase from 2021."
At
Slim.AI, we have a few software supply
chain security projections of our own for 2022:
1. Significant supply chain attacks will keep
happening, forcing CTOs and CISOs to secure their software "factories."Despite efforts by the
U.S. government,
open source
software organizations and numerous private companies to
address the issue of software supply chain security, a much more
significant breach will occur. It's not a matter of if but when.
How do we know this?
First, attacks will inevitably increase in number and sophistication. As Patrick Kelley, CTO of Critical Path Security, said,
"I personally feel that [the SolarWinds attack] was a testing of the waters.
Future attacks on supply chains will include ransomware and larger impacts.
Imagine if 18,000 government agencies were hit with ransomware at the exact
same time. That is the direction that I really believe this is going."
Second, we're not yet
prepared to handle it; simple business economics are inhibiting a proper
response to the threat. Jonathan Moore, CTO of the cybersecurity firm SpiderOak,
said in March, "From a business perspective, it is not possible to
analyze the risk that software products introduce, and security products cannot
quantify the reduction in risk they provide. Customers are therefore motivated
to spend resources on the portions of their business where risk and rewards are
better understood, meeting only the minimum bar in security."
Third, we currently
have an assortment of processes and tools that can play a role in securing
software pipelines, but there isn't a "magic bullet" solution. Moreover, even
the best tools still require some level of human oversight for observation and
response. Unfortunately, DevSecOps teams (if you're lucky enough to have one)
are typically five years behind hackers in
training, are understaffed and already beleaguered from the pressures of
responding to massively increased attack surfaces. Think back to the 2017
attack on Equifax: hackers used a months-old
issue-that Equifax knew about but had failed to fix-to steal the
personal information of 147.7 million Americans.
We're in the midst of
a perfect storm. And when the inevitable disaster happens...
2. ...Every major software organization will require
security guarantees of their software. Any
significant movement in the realm of security has been a reaction to
something catastrophic. In this case, the reaction will be that CISOs will push the burden of proof in
software
up the supply chain and
refuse to work with companies that can't document the safety of their software.
In the case of
third-party commercial applications (where users typically don't have access to
source code), we will likely see this demand for guarantees reflected in
contracts and licenses. Lawsuits will, of course, follow breaches, forcing risk
management to force the issue of software supply chain provenance.
What will be
particularly interesting to watch will be the impact on open source software. A recent Tidelift study showed that 92% of
enterprise software projects contain open-source dependencies and, in those
projects, as much as 70% or more of the code was open source. Forrester says
the footprint of open source software is even bigger: almost 99% of audited
codebases contain some amount of open source code, according to "The State
of Application Security 2021" report.
Let's look at the pros and cons of open
source through this lens. First, the pros: by definition the source code for
open source software is publicly available for anyone to inspect; also, a
recent Sonatype study showed the security
of open source projects in general has improved, with the average time to
update vulnerable open source code dropping to 28 days compared with 371 days a
decade ago. Now, the cons: the same study showed a 650% year-over-year increase
in software supply chain attacks aimed at exploiting weaknesses in upstream,
open source ecosystems. It remains to be seen if organizations will fully trust
"the community" to deliver secure code and if demand for legal accountability
disincentivizes contributions to open source.
In the meantime, we'll see that ...
3. ...The demand for software supply chain security will
permeate DevOps, with particular emphasis on container
best practices and developer experience. If software is eating the
world, then containers and Kubernetes are eating software. DevOps teams
shipping containers to production will strive-and unfortunately fail-to
verify the security of and lock down access to CI/CD tools and
infrastructure to more effectively detect and prevent similar attacks. As
journalist Mike
Vizard wrote, "In the wake of a recent series of high-profile
breaches of software supply chains, the level of scrutiny being applied to
how software is constructed has increased significantly. In theory, at
least, developers have assumed more responsibility for application
security as part of an overall shift left that provided them with more
programmatic control over IT environments. As a result, cybercriminals are
now focused on compromising either the credentials of developers as part
of an effort to insert malware into an application as it is developed, or
they are trying to exploit vulnerabilities that developers have
inadvertently created by programmatically misconfiguring infrastructure."
In 2022, we'll see container best practices move from a hand-wavy philosophical discussion to become a mainstream
idea that developers - and their managers - have
to care about. Red Hat Inc.
released a report in June raising the alarm on widespread container
security issues. The Red Hat survey revealed that 94% of DevOps and engineering
professionals confirmed they had experienced a security incident related to
containers. More than half of respondents (55%) reported needing to delay
deploying Kubernetes applications into production because of a security issue. Just under 60% of respondents also noted
there was a misconfiguration incident in their environments over the last 12
months. Nearly half (47%) are still worried about exposures due to
misconfigurations in their container and Kubernetes environments.
Companies like mine will work to address these challenges
by codifying container best practices into automated processes that large
DevOps teams can deploy and manage without running head first into the stone
wall of the Kubernetes and Docker talent shortages. Solving the software supply
chain security issues facing containers means automating the documentation of
shipping container images to production that contain only the code that is
necessary, leaving behind all of the useful artifacts of development images
that serve only to bloat the attack surface in production.
In the 1960s, public service announcements pandered to
panic-stricken parents with the phrase, "It's 10pm. Do you know where your
children are?" In the year ahead, that PSA might intone, "It's 2022. Do you
know what's in your containers?" Watch projects like Docker Slim and others for
clues as to who will deliver the most useful paths large enterprises can follow
to secure their containers and answer that question.
##
ABOUT THE AUTHOR
John Amaral, founding
CEO of Slim.AI, has more than 25 years of experience as a technologist and
product development leader in SaaS, information security and networking. Prior
to Slim.AI, John was
Head of Product for Cisco's Cloud Security Business Unit which he joined via
the acquisition of Cloudlock. Previously, he helped lead product and technical
direction at Trustwave. John has been awarded three US patents and holds a
degree in Electrical Engineering from the University of Massachusetts and an
MBA from the MIT Sloan School of Management.