August 10, 20230 mins read
As secrets have a role in most security incidents, Snyk is excited to partner with GitGuardian to help development and security teams scale their security programs and further reduce an application's attack surface at every stage of the code-to-cloud lifecycle.
We recently spoke at GitGuardian's first digital conference, CodeSecDays, joining security leaders from Chainguard, Doppler, Kondukto, and more — who shared insights on software signing, open source security, and secrets management.
Panelists image a world where software supply chain security is solved
One of the most popular sessions was the panel moderated by Rachel Stephens, an Analyst at RedMonk. Sonya Moisset, a Senior Security Advocate at Snyk, highlighted the importance of removing the silos in organizations between the developers and the security team to create more secure software supply chains. She said it’s important to explain how new security tooling fits into the developer teams' workflows and pipelines to minimize barriers and friction. She also emphasized successfully onboarding developers from the outset to help drive higher adoption of new tooling.
We need to make it fun and incentivize developers to learn about security. Gamification, hackathons, and bug bashes where you fix vulnerabilities in a sprint all help to drive awareness and fixes for companies.”
- Sonya Moisset, Senior Security Advocate at Snyk
The panelists also touched on how to create successful security training programs, ways to extract the most value from your security tooling, and the most important steps to take to improve your company’s security posture.
To start securing your software supply chain, Kayssar Daher, a Staff Security Engineer at GitGuardian, recommended starting small. For example, set up a registry for your Python packages to run scans for security issues. Sonya suggested working with one or two teams before expanding broadly to hundreds of teams, while Eddie Zane, Staff Developer Relations at Chainguard, said another good place to start is taking inventory of the dependencies you are using.
“I attend a lot of events. Over the past year, I’ve seen companies you would never think of in the software supply chain space. It feels like a lot of people are selling a check box. We have new regulations and executive orders, but there is no silver bullet for dealing with this problem.”
- Eddie Zane, Staff Developer Relations at Chainguard
While artificial intelligence is increasingly used in development workflows, Sonya says to keep in mind that the code generated by AI might potentially also implement vulnerabilities — just like the code we're writing within an organization. So applying the same toolset and workflow to scan AI-generated code and ensure it’s free from security vulnerabilities is essential.
The iceberg: Your attack surface just got bigger
Sonya’s stand-alone talk covered mitigating risks in your open source projects. She outlined major cybersecurity challenges, tools to leverage on GitHub marketplace to secure your pipeline, and best practices to harden your open source software practices. She used the "iceberg" analogy to describe the layers of a modern application, including application code, open source libraries, containers, and infrastructure as code. While only the tip is visible above water, modern applications have many layers that are not immediately visible but are essential to their functioning.
The Iceberg analogy highlights the complexity of modern applications and the importance of taking a holistic approach to securing them. To ensure that an application is secure, you'll need to consider and secure all of these layers, including proprietary code, open source libraries, containers, and infrastructure as code.
In her talk, Sonya opens with some of the most common attacks against open source software, such as typosquatting and injecting malicious code into software. The accessible nature of open source software also makes it vulnerable to supply chain attacks. In the case of open source initiatives, malicious actors can introduce vulnerabilities into the software produced, making it easy for them to spread new threats to companies that use the software.
Secure your pipeline at each stage of the SDLC
To combat these types of attacks and others, leveraging the security applications and actions available on GitHub Marketplace helps secure your pipeline at each stage of your software development lifecycle. Sonya says maintainers and contributors should consider building a basic pipeline that includes:
A software composition analysis tool to focus on identifying the open source in a codebase, so maintainers and contributors can manage their exposure to security and license compliance issues.
A tool to prevent secrets sprawling, which is the unwanted distribution of secrets like API keys and credentials through multiple systems.
A tool to cover static code analysis, which is a method of debugging by examining source code before a program is run where it analyzes a set of code against a set of coding rules.
She goes on to explore effective strategies for managing secrets, such as encrypting sensitive information, and how to use static code analysis at different stages of the software development lifecycle, from early design and development to testing and deployment. For a deep dive on this topic, check out Sonya’s “Open Source Software Security Handbook – Best Practices for Securing Your Projects.”
If you share the goal of CodeSecDays and envision a world with no security vulnerabilities, explore the event’s full playlist here.