Securing the Software Supply Chain: Expert Insights from JFrog on Best Practices, Culture, and Incident Response

In today’s interconnected digital landscape, securing the software supply chain is paramount for businesses. Moran Ashkenazi- CSO and VP of Security Engineering, JFrog, shares insights in this exclusive Q&A. From educating teams on security best practices to fostering a security-conscious culture and managing security updates, this conversation unveils crucial strategies for modern enterprises. Join us to learn how to protect your digital assets.

Why is it essential to educate development and operations teams about security best practices?

Applications are complex, changing systems made up of legacy code, public APIs, and third-party services with several open source and third-party dependencies. As a result, security vulnerabilities and malicious packages that threaten the livelihood of any business can be easily hidden within applications. Security is a shared responsibility, meaning security, development, and operations must work together to secure and protect applications and the sensitive data they access. These teams need to collaborate on assessing their software supply chain risk and then implementing security best practices in order to:

• Reduce the risk of security vulnerabilities being introduced into software.
• Improve the security of software products and services.
• Comply with industry regulations and standards.
• Protect the organization from data breaches and other security incidents.
• Build a culture of security within the organization.

By educating security, development and operations teams on best best practices for securing applications at each stage of development can significantly improve the overall security of enterprise software products and services.

How can fostering a security-conscious culture within an organization enhance supply chain security?

Cyber attackers are becoming more advanced exploiting commonly used systems and technologies. Forrester’s Security Survey, 2022, showed that causes of external breaches that global security decision-makers selected most often were software supply chain attacks (26%) and software vulnerability exploits (25%). They also stated how many times their organization had been breached in the past year; 63% reported at least one breach. A year later, that was up to 74%. Of breaches reported by security decision-makers, 34% were caused by an external attack — the largest category cited.

There are a number of ways to foster a security-conscious culture within an organization that tech leaders should consider, including:

• Conduct security awareness training for all employees.
• Create a security policy and enforce it consistently.
• Promote the use of security best practices.
• Reward employees for good security practices.
• Promoting shared responsibility for products’ security vulnerability -remediation program.

Everyone in the organization should be aware of the importance of security to protect the organization’s assets. Creating a security-conscious culture, enables us to efficiently reduce the risk of security vulnerabilities being introduced into our software supply chain.

How can organizations effectively check for and apply security updates and patches to their software dependencies?

According to Forrester’s Security Survey, 2021 exploiting the software supply chain is the most popular way to cause a breach, which is why Security leaders must be diligent about software updates that include security patches for RnD to fix vulnerabilities that could be exploited by attackers.

Companies that take a layered approach to maintaining good cyber hygiene through well defined application security processes will be best positioned to effectively secure their entire software supply chain. Some recommended best practices for staying on top of emerging cyberthreats and reducing risk within your software development life cycle includes:

• Use a vulnerability scanner to scan your software dependencies for known vulnerabilities.
• Subscribe to security advisories and qualified research from your trusted software vendors.
• Automate the process of applying security updates and patches to unburden both your developers and CSO office.
• Test security updates and patches before deploying them to production.

Organizations should also consider implementing tools and strategies that can help ensure the security of their software supply chain, such as:

• Static code analysis tools can be used to identify security vulnerabilities in your code before it’s deployed.
• Dynamic application security testing (DAST) tools can be used to test your application for security vulnerabilities while it’s running.
• Penetration testing can be used to simulate an attack on your application to identify vulnerabilities that could be exploited by attackers.
• Security awareness training can help to educate developers and operations teams about security best practices.
• A security policy can help to define the organization’s security requirements and expectations.
• A security incident response plan can help the organization to respond to security incidents in a timely and effective manner.

Companies that take a layered approach to maintaining good cyber hygiene through well defined application security processes will be best equipped to effectively secure their entire software supply chain.

How can organizations ensure that only authorized personnel have access to critical supply chain components?

Organizations can help ensure the protection of their critical supply chain components by using a number of security measures, such as:

• Implementing strong access controls for passwords, multi-factor authentication, and access control lists (ACLs) to restrict who has access to which resources.
• Monitoring and audit user activity to help identify unauthorized access attempts and take action to prevent them.
• Encryption to protect sensitive data from being accessed by unauthorized users.
• Make sure secrets and tokens rotate consistently; always prefer to assume roles rather than use passwords.
• Constructing a well-defined incident response program to manage unauthorized access of data including immediate network access isolation closely monitoring all data entry and exit points, especially those involved in the incident, rotate credentials and passwords of authorized users, and/or taking all affected assets offline immediately — but don’t turn any machines off until the forensic experts arrive.

Taking these steps will help minimize the risk of further data exposure.

What steps should be outlined in a comprehensive incident response plan for supply chain security?

Incident response plans are a crucial part of an organization’s information security and business continuity measures given the surging threat of cyber crime.  While such plans will vary by organization depending on the extent of their IT operations and production, at a high-level there are a few key steps that should be part of every software supply chain response plan:

1. Identify and assess the risk of supply chain security incidents. This includes understanding the third-party dependencies, potential impact of a supply chain security incident, and ability to detect and respond to such an incident.
2. Develop a plan for responding to a supply chain security incident. Including steps for detecting, containing, and mitigating the impact of an incident.
3. Test the plan regularly to ensure that it is effective. This can be done through simulated incidents or by conducting Red Team and Blue team exercise along with tabletop drill.
4. Train the team responsible for responding to supply chain security incidents on the plan and their roles and responsibilities.

While each of the above listed areas contains complex and interrelated actions with several subtasks, the incident response plan should provide simple and precise guidance so key stakeholders can quickly identify issues and design a remediation plan.