The Critical Role of Developers in Software Supply Chain Security
Santhosh Kumar
Application Security and AI Expert | Helping Businesses Secure and Innovate
In the wake of increasing cyber threats, supply chain security has taken center stage, with particular emphasis on Software Bill of Materials (SBOMs) and scrutinizing open source software (OSS) libraries. However, in this fervor to secure the software supply chain, we risk overlooking a critical aspect of software development - our developers.
The Role of Custom Code
A close examination of typical application development reveals some startling facts. Approximately two-thirds of the active code in an application originates from the developers themselves. This is your organization's code. Moreover, a majority of vulnerabilities are found in this same code. Unfortunately, these vulnerabilities are not just present but also largely exploitable.
The dominant narrative around software supply chain security tends to center on OSS and its vulnerabilities. Yet, only 38% of OSS libraries are active, and even fewer - around 10% - of OSS vulnerabilities are genuinely exploitable. While it's crucial to remain vigilant about these, we must recognize that the potential harm posed by vulnerabilities in our own code is significantly higher.
Balancing Open-Source Software Security
This is not to diminish the importance of open-source library security. Having been in application security for more than 15 years, I understand the risks involved. However, our focus on open-source security should not overshadow the security needs of our custom-developed code.
Refocusing Our Efforts
It's concerning to witness organizations bending over backward to get their open-source library use in check while providing insufficient attention to securing their own code. There's a critical need to realign our efforts, focusing on the most significant threats in the software supply chain: the vulnerabilities in our own code.
Developers are at the heart of this challenge. As creators of the majority of an application's code, their role in implementing secure coding practices is vital. It's not merely about plugging in OSS libraries; it's about ensuring that every line of code that they write is as secure as possible. This will not only minimize the introduction of vulnerabilities but also reduce the potential for exploitability.
To address the concerns mentioned earlier about securing the software supply chain and focusing on developers' code, Fortify Static Application Security Testing (SAST), Software Composition Analysis (SCA) are powerful tools that can significantly contribute to a comprehensive security strategy.
Fortify SAST (Static Application Security Testing)
Fortify SAST is a powerful tool that scans the source code of applications, including custom-developed code, to identify security vulnerabilities and coding errors. By analyzing the codebase statically, SAST can pinpoint potential security flaws before the application is even deployed. This helps developers identify and rectify security issues in their own code during the development process, thereby reducing the chances of introducing vulnerabilities that may be exploited later.
With Fortify SAST, organizations can prioritize addressing vulnerabilities in their custom code, which, as mentioned earlier, constitutes the majority of an application. By focusing on securing their own codebase, developers can ensure that the final product is more resilient against potential attacks, reducing the overall risk to the software supply chain.
Fortify DAST (Dynamic Application Security Testing)
While Fortify SAST assesses the application's source code, Fortify DAST complements it by analyzing the application from the outside, simulating real-world attacks. DAST interacts with the running application and identifies security vulnerabilities that may not be evident in the source code.
By conducting dynamic testing, Fortify DAST can uncover potential vulnerabilities and exploits that attackers could target, regardless of whether they are in the custom code or within third-party components. This helps developers gain a comprehensive understanding of their application's security posture and enables them to make necessary improvements to protect against potential attacks.
Fortify SCA (Software Composition Analysis)
As organizations rely on numerous third-party components, such as open source libraries, Fortify SCA plays a vital role in identifying and managing security risks associated with these components. SCA scans the software for known vulnerabilities in third-party libraries and dependencies, allowing developers to assess their impact on the application's overall security.
Fortify SCA helps address concerns raised about OSS vulnerabilities by identifying inactive libraries and determining which OSS components are genuinely exploitable. By having this insight, developers can prioritize updates and patches to mitigate the risks posed by external dependencies.
The Synergy of Fortify's Solutions
By combining Fortify SAST, DAST, and SCA, organizations can build a robust defense against potential threats originating from both their custom code and third-party components. Developers gain visibility into security weaknesses early in the development cycle with SAST, while DAST enables them to identify potential vulnerabilities in the application's runtime environment. SCA, on the other hand, keeps a close eye on the OSS components used, reducing the risk of external vulnerabilities.
Together, Fortify's suite of solutions empowers developers to address the concerns highlighted earlier. They can focus on securing their own code through SAST, proactively test applications' security with DAST, and manage third-party risks with SCA. By adopting these practices, organizations can strike the right balance between addressing vulnerabilities in their own code and securing their software supply chain as a whole.