Addressing big business and government agencies, the UK’s National Cyber Security Center (NCSC) has issued a warning that attacks on software pipelines “could have a significant impact.”
The compromise of SolarWinds’s updates, which the US says was “likely” carried out by Russian hackers as part of a broader campaign, has put the software supply chain and software development processes in the spotlight. It wasn’t the first software supply chain attack, but Microsoft has called it the “biggest attack ever to happen in the world.”
The NCSC does not name SolarWinds but notes that the software development process is often “overlooked” despite broad awareness of software developers’ security.
It states that automated software development with continuous integration and continuous delivery (CI / CD), a popular development method with standard updates that test built-in security, can be a great way to protect the software pipeline.
“It is important that the pipeline is well protected, and that it protects the construction of each of the existing structures,” the NCSC said.
The key message here is to ensure that the different structures are adequately separated from each other to ensure that if some systems are damaged, each construction is protected from the other.
Organizations that take advantage of automated software development also need to ensure that processes can reflect the compulsion of security tests – or that testing will not be too expensive.
Attackers who compromise the software development pipeline may: add malicious code to software built and used by that pipeline, access any secrets used by the pipeline, and get access to other sources of source code and locations.
“The pipeline needs to be protected from the most effective invasion of the environment,” notes the NCSC.
Its recommendations are very consistent with Microsoft, Google, and the NSA. These include using multi-item authentication, designing system access with a minimum right, and using network security and monitoring attacks.
But the NCSC also has advice on how organizations should choose concrete equipment for development work.
“Performing each build on a single-use machine will make it very difficult to build one and attack another using shared Hardware (such as CPU), and the two that make up the OS kernel sharing will have many distractions,” NCSC Notes.
“If a builder can access information stored in another building (such as their source code or create art objects), then it can steal secrets or alter what builds.”
By verifying software development integrity, the NCSC warns companies to ensure the use of encrypted downloads from the code shelter and when architecture is sent to the archive, where they are still distributed in storage.
Defending against supply chain attacks is more than trying to stop the theft of encryption keys to access protected cloud resources.
Finally, organizations should use cryptographic checksums to record data processed by the pipeline.