Santiago Torres Arias, Assistant Professor of Electrical and Computer Engineering

A professor in Purdue University's Elmore Family School of Electrical and Computer Engineering has helped develop guidelines for enhancing software supply chain (SSC) security. Santiago Torres Arias, assistant professor of ECE and a researcher with Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS), produced "Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines" along with Ramaswamy Chandramouli from the National Institute of Standards and Technology (NIST) and Frederick Kautz of TestifySec, a team of software engineers, security experts, and consultants that assist organizations with issues surrounding security and compliance. This NIST special publication delves into actionable measures for integrating SSC security into DevSecOps CI/CD pipelines.

In the constantly changing landscape of software development, cloud-native applications have revolutionized how software is built, deployed, and maintained. These applications, comprised of multiple microservices, are developed using agile methodologies within a paradigm known as DevSecOps. At the core of DevSecOps lies the continuous integration/continuous delivery (CI/CD) pipeline, a flow process that shepherds software through various stages of development, testing, packaging, and deployment. However, recent analyses of software attacks and vulnerabilities have underscored the importance of securing the entire software development lifecycle (SDLC), including its integral components, the software supply chain.

The software supply chain encompasses the activities involved in the SDLC, from initial development to deployment. The integrity of each of these activities is critical to the overall security of the software. Threats can emerge from malicious actors targeting vulnerabilities during SDLC activities or from oversights and errors introduced by legitimate actors due to lapses in due diligence practices.

This new publication, developed in accordance with the Federal Information Security Modernization Act (FISMA), outlines strategies to fortify the security of CI/CD pipelines by integrating SSC security measures. By aligning with the Secure Software Development Framework (SSDF) objectives, these strategies aim to enhance organizations' preparedness to address software supply chain security challenges in developing and deploying cloud-native applications.

Torres-Arias is excited about the release of this NIST special publication.

“We had a lot of feedback from industry and academia when developing these recommendations,” he said. “I’m confident that they will thoroughly inform and shepherd software engineers towards developing not only secure software but also to develop software securely.”

Key elements of the strategies outlined in "Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines" include:

• Understanding cloud-native application architecture: Recognizing the predominant architecture of cloud-native applications, which typically involves multiple microservices and may include centralized infrastructure like service meshes.
• Embracing DevSecOps principles: Advocating for adopting DevSecOps methodologies, emphasizing collaboration and integration of security throughout the SDLC.
• Implementing CI/CD pipelines: Leveraging CI/CD pipelines to automate and streamline software delivery processes, ensuring rapid and reliable deployment of software updates.
• Integrating software supply chain security measures: Incorporating security measures throughout the CI/CD pipeline stages, from code development to deployment, to mitigate risks associated with the software supply chain.
• Mapping to SSDF High-Level Practices: Demonstrating alignment with the SSDF by mapping SSC security integration strategies to high-level practices outlined in the framework.

By integrating these strategies into CI/CD pipelines, organizations can bolster the security of their software supply chains and enhance resilience against emerging threats. As cloud-native applications continue to increase, ensuring the integrity and security of the software supply chain remains paramount in safeguarding digital assets and maintaining trust in software systems.