Improve Your Cybersecurity with a Secure Software Development Supply Chain

June 9, 2021 VMware Tanzu

This post was co-written by Tanzu Executive Value Advisors JT Perry and Henri van den Bulk.

The U.S. government is instituting stricter requirements on federal agencies and federal contractors to address cybersecurity threats. Adopting the right set of tools and practices will help organizations secure their software development supply chains and be prepared to meet these standards. However, the initial requirements also provide a valuable framework for any organization trying to reduce its security risk—not just government institutions and those doing business with them. 

On May 12, 2021, President Joe Biden issued an executive order designed to improve the federal government’s defenses against cyberattacks, stating that “[T]he prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The recent ransomware attack on Colonial Pipeline is a prime example of a malicious cyber campaign with serious implications—the entire network of one of the nation’s largest fuel pipeline operators was shut down. Meanwhile, Scripps Health experienced a ransomware attack affecting its ability to care for patients. The scope of the executive order focuses on mandates for U.S. federal systems and suppliers. While that is a very large set of systems and organizations by itself, it is reasonable to expect compliance frameworks, such as HITRUST and SOC2, to incorporate these controls as well.

For many organizations, significant actions and investment will be necessary to meet both the requirements that are included in the executive order as well as any new regulations that might come in the future. The good news is that VMware Tanzu can help make your organization more secure today and prepare it for the anticipated National Institute of Standards and Technology (NIST) guidelines tomorrow. A key focus of VMware Tanzu is the software supply chain, including getting code to production as securely and efficiently as possible.

Core principles of a secure software supply chain

Many factors are necessary to implement a secure software supply chain. Some key principles include:

  • Trust – For a supply chain to work efficiently, it’s imperative that all involved parties trust that each step and output in the chain is completed without compromise. Trust can be established through verifiable attestations and provenance.

  • Transparency – Providing insights into all parts of the development supply chain, from the components that comprise it to the licensing and other related activities that occur,  provides consumers a way to rationalize the software they use. Having a software bill of materials (SBoM) that captures these components will help organizations review their exposure, gain insights into their processes, improve compliance, and most importantly, remediate vulnerabilities faster.

  • Zero trust – Instead of thinking of assets, resources, and users as static entities that have implicit trust based on location, all organizations should assume that, by default, there is no implicit trust between those entities. Rather, trust must be established based on dynamic evidence, which means environments must look for evidence, expressed in policy, before letting software in.

  • Automation – The average time to remediate vulnerabilities must be as low as possible, which means removing the human element and all scheduled updates. Indeed, according to Sonata’s 2020 State of the Software Supply Chain report, high performers (those organizations that have a high degree of risk managed and highly productive dev teams) detect and remediate vulnerabilities 26x faster than low performers. They do so by automating the software development supply chain so as to continuously update, removing vulnerabilities at every stage. 

  • Immutable and declarative – Keeping in mind the saying, “Treat infrastructure and applications like livestock rather than pets” will help you reduce complexity when working in the supply chain. But doing so requires that your infrastructure be both immutable and declarative. Ensuring it’s declarative will allow you to rebuild your environment from a known state, and more importantly, identify drift. Knowing this will allow an organization to pinpoint where an unintended change or exposure has been created.

  • Identity and authentication – All participants in the chain, including systems, should have an identity that requires mutual authentication to ensure security. The additional benefit of doing this is that it provides traceability of who did what, when. And to avoid the exposure of participants’ credentials, key rotation must be implemented.

Enhancing software development supply chain security 

There are 11 sections to the executive order, but we want to highlight Section 4, “Enhancing Software Supply Chain Security,” which mandates that “the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.” Preliminary guidelines will be coming from NIST for federal government agencies to address within 180 days of the executive order, but there are steps you can take in the meantime. Given the general direction of the executive order, taking these steps will help ensure you are close to, if not already, complying with the controls once they are issued. You also will greatly improve your security posture in the meantime.

Section 4 of the executive order calls for several types of software supply chain controls, such as:

  • Securing of software development environments that document and minimize dependencies on enterprise products used to develop, build, and edit software and that monitor operations and alerts as well as respond to both attempted and actual cyber incidents

  • Publication of an SBoM

  • Maintenance of trusted source code supply chains through the use of automated tools or comparable processes

  • Use of automated tools or comparable processes that check for known and potential vulnerabilities and remediate them

  • Provision of artifacts that document the execution of the tools and processes used, including a summary description of the risks assessed and mitigated

  • Maintenance of accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, as well as performance of audits and enforcement of these controls on a recurring basis

VMware Tanzu in the secure software development supply chain

At VMware Tanzu, enabling the software supply chain means establishing a fully automated flow to support a continuous path to production. As part of this flow, we incorporate the concerns of different stakeholders, provide capabilities that separate their respective concerns, and apply our principles.

This flow can be broken down into first-party and third-party flows, where first-party flows involve enterprises developing their own software and third-party flows comprise the consumption of commercial off-the-shelf containers or open source software (OSS). These two flows can be independent or merge depending on the solutions you’re building. Regardless, Tanzu helps address both.

Based on the flow from Achieving DevSecOps Outcomes 

As the above diagram shows, this flow can be enabled through a set of discrete steps and capabilities that you’ll need to address to establish your own secure software supply chain. Let’s outline them here and show how Tanzu can help.

In this modern world, the ability to build, manage, and govern containers from source code in an automated fashion that is reproducible is critical. You need to be able to respond to common vulnerabilities and exposures rapidly and automatically, without a complete rebuild. Attestation of what is included in a build is also required; you need receipts. Tanzu Build Service enables you to do all of this, and also generates an SBoM using Cloud Native Buildpacks.

Tern, a VMware-originated open source project that is now part of the Linux Foundation Automated Compliance tooling initiative, gathers metadata for the packages installed in a container and produces an SBoM for that image, including output in the open SPDX standard format. Tern can be used to generate this information for any image, which increases the speed by which third parties can provide them in order to meet the new federal regulations. 

To create a secure software development supply chain, you must build and deploy from known and trusted software components. OSS can be sourced from many locations, but by leveraging a trusted source that certifies any OSS against a set of security and validation tests, you can reduce your supply chain risk. Tanzu Application Catalog can be used as your curated third-party software, which will ensure you are only using technology pieces that have been vetted and documented. Additionally, it will produce an SBoM for those curated components.

Software is always a composite solution. To ensure the solutions from the first and third parties come together, those end artifacts need to be combined into a registry where they can all be continuously scanned for vulnerabilities and provide single sourcing within an organization. Harbor is an enterprise-class registry server used to store and manage such image artifacts.

With the growth of Kubernetes, the newest IaaS, it’s imperative that these environments apply zero trust security. However, as the growth of Kubernetes continues,  the resulting sprawl can become unwieldy. That’s why you need the ability to declaratively define clusters, manage their lifecycle, and apply policies to them. Tanzu Mission Control provides you this capability across on-premise, cloud, and Kubernetes distributions.

You must be able to react when an incident occurs, which means minimizing the mean time to identifying and remediating them. The first step in that chain of action is knowing something happened. Whether it is the result of a software bug or a malicious actor, detecting what went wrong and where is critical. You need full observability into the stack that delivers your business outcomes. VMware Tanzu Observability by Wavefront delivers the enterprise-grade observability and analytics at the scale you need to be able to detect and react to any incidents that may arise.

Together, all of these capabilities represent a comprehensive end-to-end DevSecOps tool chain. And all this value is available today in Tanzu Advanced, which includes a best-in-class Kubernetes distribution. Whether you are starting fresh or building on top of your current CI/CD components, Tanzu Advanced can provide an auditable, trusted, and operationally efficient deployment and operations substrate for you to build business outcomes.

DevSecOps practices must accompany tools

Tools alone won’t keep you safe or in compliance. Your practices must bring those things to life. Indeed, every technology shop should be working to securely reduce the cost, time, and friction involved in getting from an idea to realizing revenue. A primary question you should be asking is: How do I create a first-class developer experience to inspire and enable my development teams to quickly iterate and get technology into the hands of my users?

Pursuing DevSecOps practices in combination with the tools listed in this post can help make your secure software development supply chain a reality.

Need help getting started with DevSecOps? Tanzu Labs can help you learn and excel at the practice.

Get ahead of cybersecurity directives

The cyberSecurity executive order issued by the White House represents a significant leap forward in the regulations—and expectations—around secure software delivery. While specific implementation details won’t be coming from NIST for a while, establishing DevSecOps practices that adhere to industry standards and securing your software supply chain will better prepare you for the future. VMware Tanzu can help provide many of the building blocks, and our Labs team can help you assemble them and put in place the necessary related practices.

What you will discover by embracing these tools and practices is an amazing software pipeline that lets you get your business ideas into production, helps bring in revenue, and allows you and your customers to sleep well knowing you are building on a foundation of security.

Additional references:

JT Perry is a part of the Tanzu Value Advisory team, which works with the company’s most important customers to help accelerate their digital transformation initiatives. He is an experienced executive leading both the technical and business transformation of healthcare and insurance companies. As VP of Business Transformation and CIO of Premera Blue Cross, JT was a leader in the launch of Premera’s provider practice and moved Premera systems and development to a cloud-based data architecture. 

Henri van den Bulk is also part of the Tanzu Value Advisory team. He is an executive leader that has led technology strategy, modernization, and transformation at multiple large international organizations. Prior to VMware, he was the Principal Architect for multiple lines of business at Charles Schwab.

VMware Tanzu Mission Control Expands Data Protection Capabilities
VMware Tanzu Mission Control Expands Data Protection Capabilities

VMware Tanzu Mission Control now supports more storage options and recurring backups.

State of DevOps Report 2020 Focuses on the “How” of DevOps
State of DevOps Report 2020 Focuses on the “How” of DevOps

The recent State of DevOps 2020 report moves on to practical issues affecting DevOps implementation.