Hackers of India

SupplyShield: Protecting your software supply chain

 Akhil Mahendra   Hritik Vijay 

2023/12/06

Abstract

SupplyShield is a comprehensive supply chain security framework aimed at defending against the increasingly sophisticated attacks posed by software supply chain vulnerabilities. With numerous organizations hosting hundreds of micro-services and thousands of builds occurring daily, effectively monitoring the software supply chain to construct the final application becomes a complex challenge. This is where SupplyShield can assist any organization in seamlessly integrating this framework into their Software Development Lifecycle (SDLC) to ensure software supply chain security.

The current framework version is predominantly designed for the AWS environment. Any organization utilizing AWS infrastructure can seamlessly implement this framework with minimal effort via AWS CloudFormation templates to enhance the security of their supply chain. The framework mainly focuses on generating and maintaining a Software Bill of Materials (SBOM) and performing Software Composition Analysis (SCA) for all the micro-services within an organization. The scans are event-driven, targeting the final micro-service image pushed into AWS ECR. As a result, it generates an SBOM of base image binaries and 3rd-party packages introduced by developers, and performs SCA on top of that. This approach provides a comprehensive view of the software components involved in the overall development of a micro service.

Built with scalability in mind, SupplyShield is capable of generating an SBOM and performing SCA in a CI/CD environment where thousands of builds take place daily. SupplyShield enables the rapid detection of zero-day vulnerabilities, such as the log4j exploit, even for organizations with over 100 micro-services, significantly reducing the Mean Time To Detect (MTTD) to mere minutes. This significantly simplifies the tasks of both security engineers and developers in identifying and managing patches for events like the log4j vulnerability. The framework also offers a dashboard for developers and security engineers, presenting relevant metrics and actionable insights.