DevOps leaders seeking a one-size-fits-all cybersecurity framework to prevent supply chain attacks may find themselves disappointed, according to a recent research paper. The study, published on Cornell University’s arXiv site, highlights the difficulty in relying on a single framework to address the wide variety of security risks faced by development teams. The paper, authored by six researchers from North Carolina State University, Yahoo, and other institutions, offers a deeper dive into strategies that can help prevent compromises in critical applications and reduce the likelihood of future attacks.
The researchers examined the techniques used in major compromises like SolarWinds Orion, log4J, and XZ Utils, cross-referencing 114 reported attack methods with the 73 tasks recommended across 10 prominent software security frameworks, including the US NIST Secure Software Development Framework. The goal was to identify common vulnerabilities and provide developers with concrete actions to protect their applications. However, they found that while these frameworks offer valuable guidance, they don’t cover all the bases, leaving certain gaps in security.
Three critical mitigation factors were identified as missing from all the frameworks: ensuring the sustainability of open-source software, implementing environmental scanning tools, and requiring application partners to report vulnerabilities. These overlooked elements are vital to the comprehensive security of the software supply chain, the researchers argue, highlighting that no single framework can address every potential risk.
Johannes Ullrich, dean of research at the SANS Institute, concurs with the study’s findings, noting that while no framework is flawless, they serve as a valuable starting point. He emphasized the importance of communication across the enterprise, pointing out that DevOps leaders must collaborate with other teams to identify and address security gaps. The research underscores the need for a holistic, integrated approach to securing the software supply chain, where frameworks are part of a larger conversation about ongoing risks and mitigation strategies.