Here’s a neat little compilation of 5 essential supply-chain security controls you should know and apply at multiple levels of the application stack. Let’s dive in!
Let's start with server-side dependencies. You need to generate SBOMs and use it for Source Composition Analysis. Pin it with specific versions to avoid dependency confusion. And ensure that you reserve company namespaces in the global package manager namespace.
Next up, we’ve got client-side dependencies. Be sure to use strict Content-Security-Policy definitions with tight URL restrictions. Use SRI and Nonce for CSP definition to prevent poisoned deps from being loaded in the browser. Finally, limit third-party JS like chatbots, tracking code, and CDNs.
And now for the most important one, Containers. Use distroless w/ multi-stage builds and DockerSlim to reduce image sizes and remove unnecessary dependencies. Lastly, generate SBOMs with Syft and scan with Trivy or Grype.
Your app dependencies will most likely be built into a container image with the help of a CI/CD tool. The security measures include Protected Branches, secrets on protected branches and jobs related to them, and secrets on the environment to prevent org or repo secrets from being compromised. See that you restrict IAM to specific users and privileges. Prevent forks from running DevOps jobs, harden runner that runs CI jobs, and most importantly, lockdown egress access.
Infrastructure-as-Code using HashiCorp Terraform or Cloudformation can be pretty important. These are vulnerable to security issues as well. So use only verified and official providers and ensure you only utilize trusted and audited Terraform modules.
Get your full Container Security training started here!
Never Stop Learning!
Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He's a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly. When AFK, he is either pouring over Investment journals or in the swimming pool.