Popular with:
Security Engineer
Container Security

5 Supply-chain Security Controls That Every Business Should Know About

September 27, 2022
Written by
Abhay Bhargav
Vishnu Prasad K

Here’s a neat little compilation of 5 essential supply-chain security controls you should know and apply at multiple levels of the application stack. Let’s dive in!


1. Server-side Dependencies 

Let's start with server-side dependencies. You need to generate SBOMs and use it for Source Composition Analysis. Pin it with specific versions to avoid dependency confusion. And ensure that you reserve company namespaces in the global package manager namespace. 


2. Client-side Dependencies

Next up, we’ve got client-side dependencies. Be sure to use strict Content-Security-Policy definitions with tight URL restrictions. Use SRI and Nonce for CSP definition to prevent poisoned deps from being loaded in the browser. Finally, limit third-party JS like chatbots, tracking code, and CDNs. 


3. Containers

And now for the most important one, Containers. Use distroless w/ multi-stage builds and DockerSlim to reduce image sizes and remove unnecessary dependencies. Lastly, generate SBOMs with Syft and scan with Trivy or Grype. 


4. CI/CD Tool

Your app dependencies will most likely be built into a container image with the help of a CI/CD tool. The security measures include Protected Branches, secrets on protected branches and jobs related to them, and secrets on the environment to prevent org or repo secrets from being compromised. See that you restrict IAM to specific users and privileges. Prevent forks from running DevOps jobs, harden runner that runs CI jobs, and most importantly, lockdown egress access. 


5. Infrastructure-as-Code

Infrastructure-as-Code using HashiCorp Terraform or Cloudformation can be pretty important. These are vulnerable to security issues as well. So use only verified and official providers and ensure you only utilize trusted and audited Terraform modules. 

Get your full Container Security training started here!

Never Stop Learning!

Source for article
Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Abhay Bhargav

Vishnu Prasad K

Vishnu Prasad is a DevSecOps Lead at we45. A DevSecOps and Security Automation wizard, he has implemented security in DevOps for numerous Fortune 500 companies. Vishnu has experience in Continuous Integration and Continuous Delivery across various verticals, using tools like Jenkins, Selenium, Docker, and other DevOps tools. His role sees him automating SAST, DAST, and SCA security tools at every phase of the build pipeline. He commands knowledge of every major security tool out there, including ZAP, Burp, Findsecbugs, and npm audit, among many others. He's a tireless innovator, having Dockerized his entire security automation process for cross-platform support to build pipelines seamlessly. When AFK, he is either pouring over Investment journals or in the swimming pool.


Contact Support


1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023