Here’s a neat little compilation of 5 essential supply-chain security controls you should know and apply at multiple levels of the application stack. Let’s dive in!
Let's start with server-side dependencies. You need to generate SBOMs and use it for Source Composition Analysis. Pin it with specific versions to avoid dependency confusion. And ensure that you reserve company namespaces in the global package manager namespace.
Next up, we’ve got client-side dependencies. Be sure to use strict Content-Security-Policy definitions with tight URL restrictions. Use SRI and Nonce for CSP definition to prevent poisoned deps from being loaded in the browser. Finally, limit third-party JS like chatbots, tracking code, and CDNs.
And now for the most important one, Containers. Use distroless w/ multi-stage builds and DockerSlim to reduce image sizes and remove unnecessary dependencies. Lastly, generate SBOMs with Syft and scan with Trivy or Grype.
Your app dependencies will most likely be built into a container image with the help of a CI/CD tool. The security measures include Protected Branches, secrets on protected branches and jobs related to them, and secrets on the environment to prevent org or repo secrets from being compromised. See that you restrict IAM to specific users and privileges. Prevent forks from running DevOps jobs, harden runner that runs CI jobs, and most importantly, lockdown egress access.
Infrastructure-as-Code using HashiCorp Terraform or Cloudformation can be pretty important. These are vulnerable to security issues as well. So use only verified and official providers and ensure you only utilize trusted and audited Terraform modules.
Get your full Container Security training started here!
Never Stop Learning!