Introduction
表彰我们致力于帮助英国成为一个安全的经商之地, we are going to release a regular ‘CSP Academy’ piece.
在第一个系列中,我们将在接下来几周的三篇文章中讨论软件材料清单(soms), explaining their function, 好处, and the risks they address. Today’s post explains the software supply chain security problem.
Dependencies in the software supply chain
作为确保供应链安全的一部分,重要的是要考虑您使用的软件. 它可能不像交付产品或服务所需的任何物理组件那样明显是供应链的一部分, but it still adds risk.
一个风险是漏洞或恶意软件存在于(或引入)您所依赖的代码中. They might have been present from the outset, but unknown; they might have been there, known about but not yet fixed; they might have been introduced as the result of a change.
- Vulnerabilities are flaws in the software that leave a security hole. 攻击者可能会利用这个安全漏洞来访问您的系统.
- 恶意软件是有意引入的,目的是加密或窃取您的数据, get control of your system, or make it unavailable.
For example, you may have heard about the Log4j problem; a significant computer vulnerability was found in a component of Log4j, called Log4shell. Log4j是全世界数百万台计算机使用的开源(意味着免费使用)代码,而这个漏洞意味着,直到它们被更新, all these computers were open to attack.
另一个风险是代码组件的创建者可能会停止更新它. As that code ages, new security issues may arise, adding vulnerabilities.
As a sidenote: another kind of risk is that of licensing. 如果您使用的是开源软件组件(几乎所有组织都是),那么可能会要求任何生成的软件也是开源的. 了解您正在使用的组件(即使是间接使用的组件)将帮助您了解这是否是一个问题. This will depend on any requirements that the creator put on the code; you should consult a legal expert.
软件供应链安全旨在确保软件在开发过程中的任何阶段都不会受到损害. In this short series, we are going to focus on:
- A description of some of the security issues in the software supply chain
- 软件物料清单(SBOM)如何帮助您识别软件包中的内容
- VDR(漏洞披露报告)或VEX(漏洞可利用性交换)如何帮助您确定代码中是否存在可能导致业务问题的漏洞.
Wait: first an explanation of what we mean by vulnerability
Designing and coding software is hard. 在软件的设计方式中,很容易无意中引入缺陷, or defects in the way that it is coded. 由于对应该保密的信息管理不善,可能会产生额外的安全问题, or by weak access controls during development.
Whatever the cause, 漏洞是软件中的一个缺陷,它可能允许攻击者进入系统窃取数据, install malware, or move from that system into the wider network, and cause further problems elsewhere.
开发人员可以在开发和测试期间使用最佳实践来减少此类问题的风险, but application code can be very complex and involve many, many lines of code. Windows 11, for example, 据估计,Facebook需要运行6200万行代码,而Facebook需要运行6000万至1亿行代码. While ‘lines of code’ isn’t a good way of counting, 它确实让你对创建软件所涉及的工作量有了一个概念.
Vulnerabilities, 然后, are inevitable—and, as a sidenote, this is why we recommend keeping all your software up to date, 因为这些更新可能包含修补其中一些缺陷的“补丁”.
The problem: unexpected dependencies mean additional risk
Let’s start with an example.
Suppose you set out to make a meal from a new recipe book, only to discover that each recipe refers to another one. The more you read, 它变得越复杂,对组件的全面理解就越重要, especially if you are catering for an allergy. See the image below: if someone is allergic to nutritional yeast, 不知道它是香料混合物的一种成分,因此也是肉汤的一种成分,但在汤的配方中没有提到,可能会导致问题.
The same is true of software packages.
Software is rarely written completely from scratch. 一个软件包通常包括多个预先编写的代码片段,在需要时调用它们来完成特定的任务. 这些代码可能是由您自己的开发人员编写的,但更有可能来自开源库:任何人都可以免费使用的代码.
这是, 整体, 这是一件好事:它减少了返工,并通过避免重新发明轮子来加快交付. 开发人员通常包含预先编写的代码“块”库,以便于重用.
然而, the network of components can get very complex very quickly, and the cyber security risks expand as the complexity grows.
见上图:结果代码包(C)的一些组件是内部的, and some are external. Some components are called multiple times in different places. 如果没有正确地记录,更改一个元素可能会产生意想不到的效果,并可能影响调用该组件的所有软件.
Dependencies matter: it is important to know what a package contains, so that you can test it, maintain it, and secure it.
Any changes to code anywhere (A – external, in diagram, or B – internal) could influence the final code package, C. And that’s OK—if you know what changes have been made, what the impact on C will be, and are able to mitigate any issues that the changes might cause.
What can you do?
如果你有自己的开发团队,你可以适当地控制,例如:
- using only a predefined set of libraries
- recording what components are being used
- verifying the source code on download
- ensuring that code is tested
- ensuring that unnecessary components in those libraries are minimised
- ensuring that code is kept up to date (this is known as patching)
- 及时了解有关这些组件的任何安全问题或更新的最新消息.
If you do not have an in-house team of developers, 您正在依赖其他人在其软件开发中实现安全措施.
本文概述的问题的关键是理解在任何给定的软件包中使用了哪些代码组件. In our next post, we’ll discuss SBOMs (software bill of materials), 哪些旨在提供软件包中组件的信息.
