In part one of our two-part series, Securing the Software Supply Chain, we walked through the basics of software supply chain and their unique security vulnerabilities. Now, it’s time to secure our software supply chain from attack. We sat down with Liongard VP of Software Engineering, Colin Hendricks, to learn about the steps we take to safeguard our supply chain and keep our data secure.
“Philosophically, we employ a zero-trust architecture,” said Colin. “Which is to say that none of the nodes trust the other nodes. They all require authentication and validation to move artifacts from one step to another.”
Here are the specific defenses and processes we take at Liongard for each step in our software supply chain. Each of these steps helps keep us—and most importantly, our Partners—safe from malicious attacks and disruption:
Our Software Engineers
“Everyone on our software engineering team and with access to our source control environment is a known, identified, and vetted person that participates full-time in building our software products,” said Colin. “We don’t employ freelancers or short-term contractors.”
To ensure permissions are given only to active employees, we have rigorous onboarding and off-boarding processes that include checklists to grant and remove access to all resources, along with a monthly audit of existing user access to verify our processes are working correctly. All users are organized into groups within each resource and permissions are associated to groups rather than individual users to prevent errors and streamline configuration.
We secure access to our engineers’ machines with multiple active controls including:
Mobile device management (MDM) software that uses profiles to guarantee machines have the latest operating system and software updates, strong passwords, local disk encryption and firewall enabled and remote visibility for our own IT department. This software can lock and wipe the device if it is lost or stolen.
Endpoint protection software that scans our devices for viruses and malware, quarantines them as necessary, and reports results to a centralized cloud.
Endpoint compliance software that guarantees all files and software on our laptops are approved and compliant with our controls.
Our Source Code
- All access to all repositories requires two-factor authentication and SSH keys.
- All code changes require a pull request process that includes review by at least two other developers before commits to the develop and master branches are accepted. Direct commits are not allowed.
- Our on- and off-boarding processes include adding and removing users as they join and leave the company.
- Our security controls include regular audits of active users in our source control system to verify our off-boarding process is working properly.
Our Build and Deployment Process (aka CI/CD)
We use a combination of automated code pipeline tools and manual processes to build our software. The controls related to these tools and process are:
- Two-factor authentication is required to access all tools and associated resources.
- The tools pull code directly from our git repositories and nowhere else.
- We automatically perform static application security testing (SAST) to audit our code and all its dependencies for known vulnerabilities. The presence of high or critical vulnerabilities blocks the build process.
- Our internal deployment server requires both SSH key and a whitelisted IP address for access, sits behind a cloud firewall, and is monitored with intrusion detection and malware scanning software. It runs Linux (with automatic patching) and no services like http or ftp.
- Our agent is the only software we provide as a download to our customers. The downloadable binary is hosted within read-only object storage that is writable only by our deployment process from the inside using the tools described above and secret keys known only to our deployment server. Our agent is digitally signed with our private key. Our private key and its password are stored in separate secure locations.
Our Code at Runtime
Our product operates as both an agent on our customers’ and their end customers’ premises, and as an API in the cloud. These different layers have different controls.
Controls for the on-premises agent:
- It is digitally signed and downloaded from our protected infrastructure.
- The installer and the local operating system validate the agent’s digital signature to ensure the downloaded code has not been changed. These validations happen at install time and every time our agent runs a job.
- The agent downloads and caches our Liongard Inspectors from the same secure locations whence itself came. It validates the checksums of these inspectors at download time and every time it runs a job. The checksums against which it validates are delivered as part of each job from our server. It also validates all checksums of all sub-modules used by our agents including open-source modules.
- The agents automatically auto-update to the latest available version to allow us to release new features and quickly address any problems. This auto-update process also validates the checksums and signatures of the code that it fetches.
Controls for our app servers running in the cloud:
- This code runs inside virtual application servers that sit behind both a NAT Gateway and a cloud firewall and are monitored with intrusion detection and malware scanning software.
- We deploy this code from inside our own environment using connectivity that requires a private key.
- We also run various microservices that wake up to do things and then go away, offering new persistent attack vectors.
“Our end goal is to deliver quickly, sustainably, and repeatedly a flexible, powerful product to our customers that incorporates the best available software and functionality at the best price while also guaranteeing that it’s free of nefarious code,” said Colin. “The best way to do that is to use modern tools and processes—code-signing, two-factor authentication, SSH keys over passwords—while trusting none of them.”
Learn more about the software supply chain—read Part One: Securing the Software Supply Chain
Want to know more about Liongard? Schedule a platform walk-through today.