Virtualization Technology News and Information
Slim.AI 2022 Predictions: Software Supply Chain Security Hits Containers Head On

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

2022: Software Supply Chain Security Hits Containers Head On

By John Amaral, founding CEO of Slim.AI

Looking back, 2021 will be known as the year that software supply chain security emerged from a wonky RSA topic into something that's at once urgent and poorly understood. We started the year reeling from the SolarWinds breach, "IT's Pearl Harbor." The attack by Russian operatives spread a virus to 18,000 government and private networks. Then in April, Reuters reported a breach at Codecov. In July, a ransomware gang known as REvil compromised IT management platform Kaseya VSA and demanded a $70 million payment after reportedly encrypting the data of more than 1,000 downstream organizations. And most recently, the Log4Shell vulnerability gave us the ugly Christmas sweater no one wanted, ruining the holiday shopping weekends of many DevOps and DevSecOps teams as they rushed to find and patch this ubiquitous Java library.

What these three incidents had in common was that hackers were able to infiltrate the infrastructure of major enterprises and US government institutions by embedding malicious code in third-party software. And as a result, software supply chain security became a topic no CIO wanted to be caught unprepared to discuss.

The IT ecosystem has been placed on "full alert." And with good reason. According to ENISA (the European Union Agency for Cybersecurity) 66% of attacks that occurred between January of 2020 and July of 2021 focused on the supplier's code and software supply chain, exploiting the trust that customers put in their suppliers to distribute their attacks or malware. ENISA estimated that by the end of 2021, supply chain attacks will number more than four times that of 2020.

Underscoring the urgency is a Gartner report projecting that "by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021."

At Slim.AI, we have a few software supply chain security projections of our own for 2022:

1.     Significant supply chain attacks will keep happening, forcing CTOs and CISOs to secure their software "factories."Despite efforts by the U.S. government, open source software organizations and numerous private companies to address the issue of software supply chain security, a much more significant breach will occur. It's not a matter of if but when.

How do we know this? First, attacks will inevitably increase in number and sophistication. As Patrick Kelley, CTO of Critical Path Security, said, "I personally feel that [the SolarWinds attack] was a testing of the waters. Future attacks on supply chains will include ransomware and larger impacts. Imagine if 18,000 government agencies were hit with ransomware at the exact same time. That is the direction that I really believe this is going."

Second, we're not yet prepared to handle it; simple business economics are inhibiting a proper response to the threat. Jonathan Moore, CTO of the cybersecurity firm SpiderOak, said in March, "From a business perspective, it is not possible to analyze the risk that software products introduce, and security products cannot quantify the reduction in risk they provide. Customers are therefore motivated to spend resources on the portions of their business where risk and rewards are better understood, meeting only the minimum bar in security."

Third, we currently have an assortment of processes and tools that can play a role in securing software pipelines, but there isn't a "magic bullet" solution. Moreover, even the best tools still require some level of human oversight for observation and response. Unfortunately, DevSecOps teams (if you're lucky enough to have one) are typically five years behind hackers in training, are understaffed and already beleaguered from the pressures of responding to massively increased attack surfaces. Think back to the 2017 attack on Equifax: hackers used a months-old issue-that Equifax knew about but had failed to fix-to steal the personal information of 147.7 million Americans.

We're in the midst of a perfect storm. And when the inevitable disaster happens...

2.     ...Every major software organization will require security guarantees of their software. Any significant movement in the realm of security has been a reaction to something catastrophic. In this case, the reaction will be that CISOs will push the burden of proof in software up the supply chain and refuse to work with companies that can't document the safety of their software.

In the case of third-party commercial applications (where users typically don't have access to source code), we will likely see this demand for guarantees reflected in contracts and licenses. Lawsuits will, of course, follow breaches, forcing risk management to force the issue of software supply chain provenance.

What will be particularly interesting to watch will be the impact on open source software. A recent Tidelift study showed that 92% of enterprise software projects contain open-source dependencies and, in those projects, as much as 70% or more of the code was open source. Forrester says the footprint of open source software is even bigger: almost 99% of audited codebases contain some amount of open source code, according to "The State of Application Security 2021" report.

Let's look at the pros and cons of open source through this lens. First, the pros: by definition the source code for open source software is publicly available for anyone to inspect; also, a recent Sonatype study showed the security of open source projects in general has improved, with the average time to update vulnerable open source code dropping to 28 days compared with 371 days a decade ago. Now, the cons: the same study showed a 650% year-over-year increase in software supply chain attacks aimed at exploiting weaknesses in upstream, open source ecosystems. It remains to be seen if organizations will fully trust "the community" to deliver secure code and if demand for legal accountability disincentivizes contributions to open source.

In the meantime, we'll see that ...

3.     ...The demand for software supply chain security will permeate DevOps, with particular emphasis on container best practices and developer experience. If software is eating the world, then containers and Kubernetes are eating software. DevOps teams shipping containers to production will strive-and unfortunately fail-to verify the security of and lock down access to CI/CD tools and infrastructure to more effectively detect and prevent similar attacks. As journalist Mike Vizard wrote, "In the wake of a recent series of high-profile breaches of software supply chains, the level of scrutiny being applied to how software is constructed has increased significantly. In theory, at least, developers have assumed more responsibility for application security as part of an overall shift left that provided them with more programmatic control over IT environments. As a result, cybercriminals are now focused on compromising either the credentials of developers as part of an effort to insert malware into an application as it is developed, or they are trying to exploit vulnerabilities that developers have inadvertently created by programmatically misconfiguring infrastructure."

In 2022, we'll see container best practices move from a hand-wavy philosophical discussion to become a mainstream idea that developers - and their managers - have to care about. Red Hat Inc. released a report in June raising the alarm on widespread container security issues. The Red Hat survey revealed that 94% of DevOps and engineering professionals confirmed they had experienced a security incident related to containers. More than half of respondents (55%) reported needing to delay deploying Kubernetes applications into production because of a security issue. Just under 60% of respondents also noted there was a misconfiguration incident in their environments over the last 12 months. Nearly half (47%) are still worried about exposures due to misconfigurations in their container and Kubernetes environments.

Companies like mine will work to address these challenges by codifying container best practices into automated processes that large DevOps teams can deploy and manage without running head first into the stone wall of the Kubernetes and Docker talent shortages. Solving the software supply chain security issues facing containers means automating the documentation of shipping container images to production that contain only the code that is necessary, leaving behind all of the useful artifacts of development images that serve only to bloat the attack surface in production.

In the 1960s, public service announcements pandered to panic-stricken parents with the phrase, "It's 10pm. Do you know where your children are?" In the year ahead, that PSA might intone, "It's 2022. Do you know what's in your containers?" Watch projects like Docker Slim and others for clues as to who will deliver the most useful paths large enterprises can follow to secure their containers and answer that question.




John Amaral, founding CEO of Slim.AI, has more than 25 years of experience as a technologist and product development leader in SaaS, information security and networking. Prior to Slim.AI, John was Head of Product for Cisco's Cloud Security Business Unit which he joined via the acquisition of Cloudlock. Previously, he helped lead product and technical direction at Trustwave. John has been awarded three US patents and holds a degree in Electrical Engineering from the University of Massachusetts and an MBA from the MIT Sloan School of Management.

Published Wednesday, February 02, 2022 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2022>