Foundational Security for Your Software Supply Chain

Software supply chain attacks are becoming an unfortunate fact of life. Attacks like those that affected SolarWinds and Log4j have recently rocked the IT industry. In these cases, the attacker exploited vulnerabilities in a highly used software module to claim multiple if not thousands of organizations as victims. A recent survey by Anchore reported that 62% of surveyed organizations were hit by software supply chain attacks in 2021. If left unchecked, this trend will likely grow in 2022 and beyond. 

General Guidance for Combatting Supply Chain Attacks

In an effort to address the problem discussed above, Argon (now part of Aqua Security) approached us at the Center for Internet Security (CIS) with the idea of developing a CIS Benchmark for securing the software supply chain. We already had two decades of experience developing and publishing secure configuration guidance (i.e., CIS Benchmarks) covering a wide variety of technologies when Argon approached us. But the concept of creating a Benchmark for this area was an interesting, timely, and important opportunity that we could not ignore. 

With this spirit in mind, we decided to take a novel approach. Instead of diving in and creating a specific Benchmark, we initially set out to produce a more generic guidance set to act as the parent for more specific guidance to come. This effort led us to develop more than 100 foundational security recommendations in five main categories – Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment – that can be applied across a variety of commonly used technologies and platforms. 

Introducing the CIS Software Supply Chain Security Guide

We worked with Aqua Security to develop the CIS Software Supply Chain Security Guide using the same standard consensus-based development process that's behind all of our Benchmarks. To date, the guide has been reviewed by experts at CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and other leading technology firms. With the publication of the Guide, we are extending the consensus process to an even wider audience. 

Ultimately, we hope to build a vibrant community interested in developing the platform-specific Benchmark guidance to come (GitHub, Azure DevOps, etc.). We also hope the Guide, along with the platform-specific Benchmarks to follow, will help organizations worldwide in securing their software supply chains today and making it harder for attackers tomorrow. 

Get Involved in Developing Security Best Practices

To contribute to this or other CIS Benchmark projects, please contact the CIS Benchmarks Development Team at [email protected]