For enterprise safety professionals alarmed concerning the rising variety of provide chain assaults, a report launched this week by Google and provide chain safety agency Chainguard has excellent news: Devsecops finest practices have gotten increasingly more widespread.
The current prevalence of provide chain assaults—most notably the SolarWinds assault, which affected quite a few giant firms in 2021—has introduced the subject into prominence. The Google-Chainguard report, although, discovered that many provide chain safety practices really useful by the key frameworks are already in place amongst software program builders, primarily based on an ongoing “snowball” survey of 33,000 such builders over the previous eight years.
There are two main frameworks for addressing software program provide chain improvement points, that are people who stem from the advanced nature of recent software program improvement—many tasks embody open supply parts, licensed libraries, and contributions from quite a few builders and numerous third events.
Two main safety frameworks intention at provide chain assaults
One main safety framework is Provide-chain Ranges for Software program Artifacts, a Google-backed normal, and the opposite is the NIST’s Safe Software program Improvement Framework. Each enumerate plenty of finest practices for software program improvement, together with two-person assessment of software program modifications, protected supply code platforms, and dependency monitoring.
“The attention-grabbing factor is that loads of these practices, based on the survey, are literally comparatively established,” mentioned John Pace Meyers, one of many report’s authors and a safety information scientist at Chainguard. “A whole lot of the practices in there, 50% of the respondents mentioned that they have been established.”
The commonest of these practices, based on Google consumer expertise researcher Todd Kulesza—one other writer of the report—is CI/CD (steady integration/steady improvement), which is a technique of quickly delivering purposes and updates by leveraging automation at totally different phases of improvement.
“It’s one of many key enablers for provide chain safety,” he mentioned.  “It’s a backstop – [developers] know that the identical vulnerability scanners, et centera, are all going to be run in opposition to all their code.”
Furthermore, the report discovered {that a} more healthy tradition in software program improvement groups was a predictor of fewer safety incidents and higher software program supply. Increased-trust cultures—the place builders felt comfy reporting issues and assured that their stories would convey motion – have been more likely to provide safer software program and retain good builders.
“Generally, cultural arguments can really feel actually fluffy,” mentioned Pace Meyers. “What is good about a few of these … tradition concepts is that they really result in concrete requirements and practices.”
Kulesza echoed that emphasis on high-trust, collaborative tradition in software program working teams, which the report refers to as “generative” tradition, versus rules-based “bureaucratic” or power-focused cultures. He mentioned that practices like after-action stories for improvement incidents and preset requirements for work led to higher outcomes throughout the board.
“A technique to consider that is that if there’s a safety vulnerability that an engineer realizes has made it into manufacturing, you don’t wish to be in a company the place that engineer worries about bringing that drawback to gentle,” he mentioned.
Copyright © 2022 IDG Communications, Inc.
