In modern software development, developers move quickly by reusing existing third-party libraries and open source dependencies. This “supply chain” of components enables speed, but it has also become an attack vector for hackers. Securing the software supply chain is vital to keep an organization’s SLDC protected. Let’s look at two aspects of securing your organization’s software supply chain, inside and out.

A recent report by Aqua Security found that many organizations had inadequate controls around the secrets in their SDLC. Numerous container registries and artifact repositories are unintentionally left open to the public.

In some cases, repositories were intentionally public, but contain secrets not meant for public disclosure. In many cases, these secrets were credentials, API addresses or certificates that could enable further attacks deeper into the organization.

Many Sonatype customers leverage the benefits of Sonatype Nexus Repository to distribute components to their customers, partners, or the wider development community. However, ensuring proper access controls is vital.

Follow these three steps for the best results:

1. If you’re using anonymous access, ensure that it’s a fit for your use case. Ask yourself if you need unauthenticated users inside (or outside) your organization accessing your repositories. If you don’t, disabling it entirely is an easy step toward securing your SDLC.

2. Use the search and browse features to check what repositories and content are visible to anonymous users.

3. Whether or not you’re using anonymous access, review our documentation on access control best practices. 

That takes care of what can be pulled out of your SDLC. 

What about what gets into your SDLC?

Cybercriminals continue to target organizations through the components in open source repositories. Public repositories like npmjs.org and the Python Package Index make for ideal watering hole attacks — poison the well and all who drink from it (Read more...)