Why supply chain security is still a real concern: A Q&A with Global Field CISO Tim Chase

Q: Tell us about your Gartner talk and what attendees can expect.

A: I'll be focusing on third-party security, particularly software supply chain security. Application security is really important today, and it’s something we spend a lot of time discussing. But when you look at a lot of the breaches that happen today, it’s clear that supply chain and third party security are still major concerns. You don't have to look any farther than the recent xz vulnerability to understand that supply chain security is still a real concern, right? 

Consider the notorious SolarWinds breach, which was ultimately a supply chain issue. It was a huge problem because people were installing these SolarWinds agents on all of their servers. It was pervasive. It was everywhere. And when the source code of SolarWinds got breached, they were able to modify it with malicious code and get it deployed all over the world. So, yeah, we need to make sure that we're doing as much as we can to mitigate and control the supply chain.

Q: Gartner talks can cover a wide range of security topics. What drew you to focus specifically on supply chain security? Was the recent xz vulnerability a factor?

A: A little bit. I think the xz situation really made me double down on it. Supply chain security is something that I've been writing about for some time and thinking about more often, especially with some of the SolarWinds stuff being revisited with the lawsuit.

I just think so many people sometimes focus on the end result — on the breach itself — and they forget to take a step back and look at the source of the problem. How were they able to breach the software? In the case of SolarWinds, how did the source code get modified? We don't always go back that far.

With the xz vulnerability, I think we've seen an increase in people wanting to secure the supply chain. That's why SBOMs are very popular right now. We want to know what we use to build our software. But SBOMs are just a list in a sense, right? It's just an inventory. Here’s the real question: what are you going to do with the inventory? Don’t get me wrong — you need the list. The first step of securing anything is knowing what you have. But you then must take the steps to secure it. 

I just want to ensure that we take those extra steps of making sure that we are truly securing our supply chain. Are we making sure that we have appropriate controls on our developer machines, or do we have appropriate controls on our source code? The xz vulnerability has refreshed this in my mind, but it's something that I've been tracking for a while now. 

Q: So how long have you been focusing on supply chain security? When did you start investigating the security risks associated with open-source components?

A: Like I said, there’s been more focus lately. However, I've been looking at open source security since maybe 2015 or 2014 — something like that — back when I was really starting to get into the DevSecOps stuff. This was before DevSecOps was really a thing; I don't think we had a name for it. Back then, we were having to build a lot of the stuff ourselves because none of the tools were compatible with a DevSecOps mentality. So I've been looking at it for quite a while. But just like with all things in security, we keep refining it, and we keep getting better.

This is all similar to cloud security. When I first started doing cloud back in the early 2010s, it was still very much CSPM. It was just a bunch of Lambda checks that were making sure that your posture was secure. And, in the same way from an application security perspective, it was "run some stuff against your source code, make sure your open source is not using CVEs, make sure that your source code isn't vulnerable." But over time, it has matured. Our application security tools have gotten better, and open source is getting more mature as well.

Q: How is the industry addressing supply chain security concerns, and what steps are being taken to ensure the security of open-source components used in development?

So we're starting to do a couple of things. In the industry, we're moving further left. This is how we can make sure to validate that the libraries that we and the other companies we do business with use are secure so that the supply chain isn't disrupted.

But also, the other thing that we're starting to see in the industry are tools that can look at open source and understand how mature the development practices are around open source. For instance, if you have an open source project that is not maintained, that would be a risk. If you have an open source project that is maintained by one person, that would be a risk.

I've seen some tools that can go in there and look at the check-in times and how many people have the right to merge code and all of this kind of stuff to understand whether it's a mature piece of open source. So we're starting to go through as far left as we can to make sure that we have a complete understanding of an open source that we're using.

Q: With the increasing number of pending cybersecurity regulations worldwide, how does your focus on supply chain security align with the current regulatory landscape? 

A: Each of these regulations is different. A lot of these different regulatory rulings and laws, whatever they happen to be, have very specific call outs for supply chain security. And, I don't know that they always call it “open source security,” but they do talk about making sure that you know where your code comes from as a part of your security program. So these regulations talk about it in different ways and the verbiage will be different between the different frameworks, but all of them are going to require that as some part of a good security practice.

If you look at a lot of the regulations that are coming down now — or they may not even be regulations but just kind of guidance — a lot of them are going to say, "Here's some things that you need to do to build a solid cybersecurity program." And so one of those things will be in some form or another understanding your open source risk or your supply chain risk and having a process around that. 

So, from a regulatory perspective, it's something that you are going to have to look at and prove. And sometimes it might be just being able to track your SBOM to understand what you're using, then maintaining that inventory. Other times, I think, on the regulation front, it could be more in depth of needing a full, more detailed program.

Q: Earlier, you mentioned applying the “appropriate controls” to developer machines and source code. What does that practically look like for businesses?

A: For me, it all comes down to zero trust. Yes, it’s true — zero trust extends all the way to securing the supply chain. This approach, when done right, involves implementing strict access controls, continuous monitoring, encrypted hosting, and regular auditing across repositories. 

The trouble comes when we blindly trust code from developers or third-party sources. Zero trust takes that off the table.

Shameless plug here. Lacework Edge, our new security service edge solution, can help implement this sort of zero trust approach for the supply chain. Edge ensures secure access for users and devices while safeguarding company data. 

Really, even though it may seem unrelated, supply chain protection starts with a strong defense around the individuals crafting the code. Supply chain security is cloud security, edge security, and everything in between.

Q: What makes your Gartner session stand out from the others?

A: I hope that I have a different perspective on the supply chain. Again, I think sometimes we just stop too soon when we're analyzing an incident, and we don't go far enough to the root cause. So hopefully, based on my 15 years or so in AppSec, I’ll offer a different perspective than what others have thought about securing the supply chain.

Meet us at the Gartner Security Summit

Don’t miss Tim’s session, “Lacework: How Secure Third-Party Code Management Can Prevent Supply Chain Attacks” on Monday, June 03, 2024 / 01:15 PM – 01:35 PM EDT Gartner Security & Risk Management Summit 2024 in National Harbor, MD. 

Plus, visit Lacework at booth 429 to learn more about Lacework and our latest innovations for the future of securing code, cloud, and the edge.