Zero Trust at the Source

Code Security to Protect the Software Supply Chain

Everything begins with code. Code is everywhere. It has been proven that Identifying risks early in the code development process reduces the cost of mitigation and overall cybersecurity impact. When these risks are left in code, they can propagate undetected and mushroom into unintended incidents with long lasting impact. Addressing these later in the code lifecycle is exorbitantly expensive and leads to disruption, loss of data, and unintended exposure and liability.

The software supply chain is made up of several phases with discrete development tools  linked in some manner to the continuous integration / continuous deployment (CI/CD) pipeline with a recognized goal of speeding up the delivery process. Absent a unifying framework, the threats and vulnerabilities inherent to various stages of the development pipeline are often addressed by discrete point solutions along the way leaving gaps in the process that are often exploited by malicious yet capable threat actors with savvy technical skills. 

The idea that code starts at the source, particularly internally developed code, supports the need for a comprehensive approach to security that extends as a virtual force shield across the entire DevOps cycle. One that is continuous and ever present. Today’s developers are quick to adopt and reuse code from third party and open sources, ultimately to speed up delivery and deployment. 

What makes up the zero trust concept

According to the NIST SP 800-27 standard titled Zero Trust Architecture,  “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure”. 

Zero trust basics

In the zero trust model, entities such as (human) users, systems, applications, infrastructure and code are all considered subjects. Human users may be referred to as users. At first, all subjects are considered untrusted until they have been validated. 

Zero Trust – Source: NIST SP 800-27; Zero Trust Architecture

In modeling zero trust, a subject needs access to an enterprise resource. Access is granted through a policy decision point (PDP) and corresponding policy enforcement point (PEP). Once trust has been established, they can proceed into a zone where they can access the requested resource. 

The requestor can be a user, an application or a service called from code. The logic to establish identity as well as determine related risk factors lie in the center  block and aid in determining which enterprise roles should have specific levels of access to code repositories and permissions to perform actions. In the case of code development this could be progressing from post-merge checks to build and deployment. 

How can zero trust be applied to protecting the software supply chain?

In the recent past, developers and infrastructure teams have chosen their own favorite discrete, stage-specific tools that apply across the CI/CD pipeline. This way developers can use their preferred integrated development environment (IDE), version control, test automation and deployment tools  while relying on an automated release orchestration platform to act as the optimizer across the process. 

Applying zero trust in this landscape starts with defining roles. For example, roles Established may include developer, infrastructure, site reliability, application security (AppSec) and information security functions. 

Using roles based access control (RBAC) development managers in conjunction with AppSec teams can define specifically which roles have access to which repositories and in many cases setup a segregation of duties model where only a few team leaders end up with complete access to repositories, while individual developers only have access to repos that they need to work on. 

Zero trust extends well beyond human users to include various computing entities that are referred to as subjects in the NIST standard for zero trust architecture. Applying code security at the source, which is where code starts, is key to ensuring that risks are identified at the beginning of the CI/CD process. It is important to start with an assumption that all subjects in the CI/CD flow are untrusted until they are validated via a PDP/PEP. This will cause zero trust to propagate throughout the environment end-to-end. 

Zero trust hence makes security an inherent part of the CI/CD process and to that end creates implied collaboration between AppSec, developers, site reliability engineers (SREs), and IT Ops to make sure that the pieces are in fact stitched together and ready to operate. In this case they would operate securely as source code that is internally written may get merged with open source or third party code that has already been vetted and prepared to proceed down the deployment path.

With careful planning and the right solution, zero trust can be applies to code security

BluBracket eliminates the following risks in code:

BluBracket delivers a code security platform that identifies and removes the most comprehensive set of code risks.

Steps teams can take to apply zero trust to secure the software supply chain

Defense in depth is not the operating principle here. It is the concept of validating trust, establishing trusted transactions and maintaining them. To that end it is important for AppSec and security architects in particular to ask three key questions to establish that trust:

1. Can we find critical risks that exist at the source?

• We need to identify and remove critical risks in code.

2. Who has access to the code?  

• Harden authentication and apply least privilege roles-based access.

3. Where is the code going?

• Ensure code from private repositories does not get exposed in public repos.

BluBracket Code Security – the policy enforcement point for zero trust

BluBracket scans code present in git repositories to protect software supply chains by preventing, finding and fixing risks in source code, developer environments and pipelines. Companies can now ship secure code without sacrificing speed or innovation. 

BluBracket links developer and security teams by integrating with developers’ favorite tools and delivers friction-less code security into existing workflows. This helps extend the notion of zero trust across the CI/CD pipeline.

The BluBracket code security platform when deployed can enable zero trust by:

Eliminating secrets and code risks at the source: automatically identify and prevent secrets, PII, infrastructure as code (IaC) risks and non-inclusive language from propagating through code.

• Protecting against code leaks: detect code leaks and prevent unintended sharing of code to public repositories.
• Enforcing access policies: enable roles based access control (RBAC); alert when unauthorized people and systems have access to code. Stop code tampering with hardened authentication and branch protection rules.
• BluBracket addresses the most comprehensive set of risks in code and enables collaboration across teams tasked with protecting the organization’s software supply chain. 

For more information on BluBracket solutions and how code security can help you apply zero trust to protect your software supply chain, please contact us at [email protected] to get started for free.

*** This is a Security Bloggers Network syndicated blog from BluBracket: Code Security & Secret Detection authored by Pan Kamal. Read the original post at: https://blubracket.com/zero-trust-at-the-source/