The SolarWinds attack by the Russian hackers was a wake-up call for the entire software industry. It laid bare the enormity of the fallout from software supply chain attacks, impacting 18,000 SolarWinds customers, including Fortune 500 companies like Microsoft and government entities like NASA, the US Justice Department, and the US State Department. In the aftermath, Kaseya, Codecov, ua-parser-js, and Log4j all came to pass, showing that a single breach or vulnerability in the distributed code could lead to tens of thousands of hacking targets.

These high-profile incidents are emblematic of the fundamental weakness in our security defenses—implicit trust placed in the software supply chains, which Beyond Identity and GitLab are looking to address.

Code vulnerability in detail 

Software supply chain attacks resulting from inadvertent malware distribution to end customers works as follows: 

1. Software vendors regularly send out updates to their code—a bug fix or to introduce a new set of features. 
2. Threat actors attack the software build process used to create this code. 
3. If they succeed in injecting malicious code and the end customers unwittingly download it, the compromised code creates a backdoor in the target customer’s network. 

The threat actors then use that backdoor to install even more malware that ultimately helps them exfiltrate customer’s sensitive data.

The magnitude of the risk

These attacks have far-reaching implications for both the suppliers and consumers of the software supply chain. 

For software suppliers, the results can be brand erosion, loss of customer confidence, and lengthy legal battles fighting off multibillion dollar lawsuits. 

For consumers, this creates a gaping hole in their security posture that allows threat actors stealthy and persistent access to their secure systems and networks, decimating all the investments they made in modernizing their security infrastructure.

Typical approach

The good news is the cybersecurity industry is not sitting idle. It has upped its ante and shifted its focus to the left in the supply chain, resulting in a slew of cybersecurity products and industry frameworks that claim to thwart the software supply chain attacks. 

Supply Chain Levels for Software Artifacts (SLSA) is one such industry framework that establishes three trust boundaries (around Source, Build, and Package steps) encouraging the right standards, attestation, and technical controls, so you can harden a system from these threats and risks. This framework is designed to automate the steps involved in analyzing artifacts, guaranteeing the original source code, protecting against interference that can happen in the build and distribution processes, isolating any hidden vulnerabilities, and recognizing which system components might be affected. 

Many products are focused on identifying malware by scanning the code. While they do a great job identifying vulnerabilities by looking up for known vulnerabilities, they fall short when malware is cleverly hidden across different parts of the legitimate code such that automatic code scanning can not spot it.

Our approach: secure code access from the onset

In order to stop malware from getting introduced in the first place, you need a much tighter control on your version control system. The most popular distributed version control system in use today is git, which has its own set of loopholes that hackers love to exploit. 

These loopholes are related to git’s use of SSH keys to authenticate to the git remote and its use of the gitconfig file to identify the author of code changes. Hackers can easily steal the private SSH keys to gain command line access to the git remote and use the modified gitconfig file to spoof the identity of the author. Apart from external hackers, malicious insiders can also use this same loophole to pretend to be someone else who is more trusted within their organization and check in malicious code.

Beyond Identity’s Secure DevOps Solution takes a zero trust approach toward solving this problem and provides integrity, authenticity, and non-repudiation qualities to your code. Instead of using an SSH key to access git or a GPG key to sign code, Beyond Identity generates a public/private key pair that binds identity to each device used, providing cryptographic traceability between developers and the code they access and check in to the repository. If you do find configuration issues or malware in your code, you can trace its origin with certainty.

Regu Rejaiah, Enterprise Architect at Beyond Identity, demos the Beyond Identity-GitLab Solution

Beyond Identity further evaluates device security posture to ensure that developer devices comply with the corporate security policies. The policies can include, checking for the presence of antivirus, firewall, hard disk encryption, MDM, etc. and checking for the Crowdstrike Zero Trust assessment score for that device. Beyond Identity also verifies that the code commit was signed by a corporate identity that is still present in the corporate directory and its public key matches to the one stored in the cloud. Administrators can configure their CI/CD pipeline to abort if any of these checks fail.

Conclusion

Software supply chains present a large opportunity for today’s sophisticated hackers, but GitLab and Beyond Identity are working to take the code check-in and signing process off the table.

FAQ: 

Q. Do I need code commit signing if I am already doing code signing?

Code signing is different from code commit signing. Both are important from a security standpoint. Code signing provides assurance to your customers that the code they are downloading is coming from a trusted source. Code commit signing provides assurance to you that the code added by developers is not contaminated by malicious threat actors.

Q. What use cases does this solution solve?

• Prevents a hacker from impersonating as an insider and committing malicious code.
• Prevents an insider from impersonating as another trusted colleague and committing malicious code.
• Deters an insider from repudiating a malicious code commit.
• Prevents a terminated employee from committing code. 
• Prevents employees from committing code from machines that are not in compliance with corporate policies.

Q. What git repositories are supported?

GitLab is a great partner to Beyond Identity, but our solution also supports GitHub, BitBucket, Azure DevOps, and AWS Code Commit.

Q. Can this support multiple repositories on a developer’s machine?

Yes, a developer can use this solution with multiple repositories. These repositories can be hosted on the same remote repository (single vendor) or multiple different repositories (multiple vendors).

Q. What if portions of my development are outsourced to contractors or Systems Integrators?

The solution should be deployed across your entire developer community, including your employees, contractors, and outsourcing partners, such as global systems integrators.

Q. Is this solution required to secure corporate IT software development?

Yes, this solution is applicable to any company that has software development teams focused on building code either for external use (product development) or for internal use (corporate IT).

DOCUMENTATION: Go here for more documentation.