The ‘Golden Pipeline’ principles for securing the supply chain

By Nurit Bielorai, Go-To-Market Manager, Supply Chain Security at Aqua Security.

  • 5 months ago Posted in

As a cloud native security vendor, we know the stakes are high when it comes to supply chain vulnerabilities. On the one hand we work at the frontline with hundreds of customers, helping them tackle the most critical security challenges associated with their digital transformation. On the other, we need to ensure our software development life cycle is second to none and excels when it comes to delivering the security, agility and speed of deployment organisations need to stay on the front foot where innovation is concerned.

Having implemented security on thousands of software supply chains, we’re able to provide a behind-the-scenes look at what it takes to build immutability and security into today’s software development pipelines. And how the resulting ‘golden pipeline’ will prove reliable time and time again.

Incorporating security by default

Under growing pressure to deliver software faster, developers are increasingly reliant on open source code and other third-party components that enable them to build products and services more rapidly. The problem is this introduces potential vulnerabilities into development pipelines that will likely expose organisations to supply chain attacks.

As a result, building security into the development process has become a top priority for organisations looking to avoid the risk of a supply chain compromise. This is no easy task when security teams are wrangling multiple tools to try and connect the dots, and need to avoid compromising development flows at all costs.

This is why we recommend that organisations incorporate comprehensive security testing and validation from the get-go and across the entire end-to-end application development and deployment process.

The golden pipeline principles – start clean, stay clean, and store approvals

By embedding and automating security and enforcement practices across the supply chain, organisations can create a ‘golden pipeline’ that ensures an application is validated at every stage of development. So, by the time it reaches production, it’s as clean as possible – and all known supply chain risks have been eliminated.

When it comes to building a golden pipeline, organisations should first aim to start ‘clean’ by integrating auto-triggered periodic scans into their source code management (SCM) system. Designed around a defined policy that triggers specific actions and responses, this will help assure the quality and integrity of existing components, keeping them up to date with a real-time updated vulnerability and risk database.

Next, to ensure their pipelines ‘stay clean’ and are secure-by-default, every new pull request by a developer should activate an automated scan that generates a pass/warn/fail outcome. These results are then notified to developers via the SCM, together with any fix suggestions.

At the build stage a definitive automated scan provides the final audit and seal of approval. If compliant, the component gets the green light and goes into production – accompanied by a

detailed software bill of materials (SBOM) and security manifest that provides full visibility into all software components and dependencies. If yes, this is stored in a manageable pane with all other SBOMs, for easy and clear investigation whenever needed. If not, teams gain insights into next actions to take.

By incorporating robust policy-driven controls into the development pipeline, organisations are able to get instant feedback on supply chain risks. This means vulnerabilities can be caught and fixed the moment they are introduced, and before they reach runtime, a stage in the application's lifecycle where stakes (and costs) are much higher.

Long term gains and ROI

Many of the companies we work with have committed to this golden pipeline reporting approach, they’ve achieved some significant returns on investment. Alongside protecting revenue streams from the risks arising from application breaches or compliance issues, they’ve benefited in a number of other key ways:

● Automating previously manual processes to streamline their programme orchestration and cut the time and cost associated with patching and remediation.

● Giving back valuable time and bandwidth to their security and development teams that can be used more productively on other projects.

● Consolidating and reducing the number of security tools they need to procure and use – generating further sizeable cost savings that go straight to the bottom line.

In addition to elevating the supply chain defence posture of the enterprise itself, implementing a golden pipeline enables organisations to develop and deploy applications faster. Generating efficiencies along the way will make a lasting contribution to the long-term sustainability of the business.

By Jori Ramakers, Director of CX Strategy, Tricentis.
By Jon McElwee, cloud specialist at iomart.
By Gordon Saladino, Perforce.
By Rod Cope, CTO, Perforce.
DevSecOps is an increasingly popular approach to securing critical infrastructure and applications. It integrates security into the development process from the beginning, ensuring that it is at the heart of every step of development. In a largely technology-driven world, it is no surprise that the demand for integrated security is rising, with the average cost of a critical infrastructure breach being £3.7 million in 2022.
By Mark Daley, Director of Digital Strategy & Business Development at Epsilon.