Striking a balance between security and velocity in our software supply chain
While as engineers, we strive to be as transparent as possible to maintain the integrity of our ecosystem, we also understand that the aspects of security are as wide and deep. Often, we find ourselves standing at a crossroads where security measures and the speed of development may seem like competing priorities.
Can we find a balance between security and velocity?
Dependencies (SBOM, supply chain)
In the realm of open-source development, security is paramount and often one overlooked aspect is the dependency supply chain. Openly developed software with a published list of SBOM is like advertising a list of possible attack vectors for malicious actors to exploit.
Any project, like most modern software, relies on a number of external libraries and packages to function. These dependencies can sometimes be a source of security vulnerabilities, as any weaknesses in them could potentially be exploited to compromise our software.
Striking a Balance Between Development Velocity and Security
While we may hold firm to the belief that security is an indispensable aspect of any software project, we also acknowledge the importance of balancing it with other factors, like development speed.
In the realm of software creation, we often find ourselves standing at a crossroads where security measures and the speed of development may seem like competing priorities. The utilization of large software ecosystems (e.g. react-native, expo SDK) is an inevitable reality in our line of work, and we assess that the advantages they offer significantly outweigh the potential risks.
However, that said, we should aim for an equilibrium that does not compromise on the commitment to build secure software. By implementing robust security protocols and practices, along with harnessing the benefits of rapid development through established ecosystems, we can strive to deliver secure, reliable software swiftly and efficiently.
Some approach to ensuring the security of your supply chain includes the following:
- Understanding the supply chain: Maintain a comprehensive list of every external component the software relies upon, including not only direct dependencies, but also transitive ones.
- Keeping dependencies up to date: By frequently updating your dependencies to their latest versions, as these often include important security patches.
- Monitoring for vulnerabilities: Employing automated tools to check our dependencies for known security vulnerabilities, allowing us to react swiftly if a threat is identified.
- Adopting a defense-in-depth strategy: Approach to security does not rely on any single measure. Instead, we layer multiple security measures (e.g. encrypted and enclave) on top of one another to provide a greater degree of protection.
- Minimizing dependencies: Continuously auditing your codebase to identify dependencies that can be replaced with your own code or removed entirely. This helps reduce the potential attack surface and limit the scope of possible supply chain attacks.