GitHub
By Mike Hanley, CSO and SVP of Engineering
One of the most common discussions I have with engineering and security leaders is the state of supply chain security. Today, I’d like to share a few strategies you can discuss with your teams to broaden your supply chain security perspective while realizing some quick wins—without any extra tooling or purchases.
Strategy #1: Understand and account for your build pipelines
The SolarWinds incident was a watershed moment that involved a sophisticated attack on organizations and government agencies by exploiting vulnerabilities in SolarWinds’ Orion platform. This incident showed us that the pipelines you use to produce software applications are just as important to secure as the application code itself.
At your organization, what controls do you have in place for your code and artifact systems? How many build systems do you have? How many tech stacks do you use? You need to understand what inputs are coming into the software artifacts you’re producing and rigorously account for them in the build process.
Strategy #2: Require users to use 2FA
At GitHub, we now require 2FA on the accounts of code contributors, maintainers, and publishers. With this security measure, we reduce the likelihood of account takeover of popular package maintainers on npm and GitHub.com contributors.
You should use 2FA everywhere you can. We have resources that can help you easily set up 2FA for your account or require 2FA for your organization. This simple step will go a long way in preventing your accounts from being compromised.
Strategy #3: Build and consume artifact provenance
Do you know where the packages you pick up and use are from? Last year, GitHub partnered with the Sigstore project to bring provenance to npm, which helps solve this issue. Now, package maintainers can easily generate signed statements about where the software came from and how it was built. This helps developers make statements about the packages they publish and allows consumers to make their own judgments—improving package security.
The bottom line
To recap, here are some ways you and your team can start thinking bigger about supply chain security:
Do you understand your build systems? Make a list of all of them.
Are you using 2FA? Do you require users to use 2FA? If not, this is a simple tool you can implement to prevent your accounts from being compromised.
Do you trust the third-party dependencies you use? Understand how the places you get your dependencies from are secured and make a list of all your packages.
Have you taken full stock of your third-party integrations to ensure they meet your own security standards? Give all your integrations only the minimum amount of access needed to complete the task.
Supply chain security is a collective responsibility. By taking these steps, you can expand your threat model and improve your supply chain security.