The following checklist contains seven measures to identify and prioritize risks at an early stage and prevent attacks on the software supply chain.

1. check Infrastructure as Code (IaC) for misconfigurations
IaC templates such as Terraform, CloudFormation, Azure Resource Manager (ARM), or Kubernetes can contain insecure default settings that are an easy target for attacks. To avoid security vulnerabilities, companies need to implement IaC best practices, fix misconfigurations early and protect sensitive data. Regular scanning and adherence to security policies can identify vulnerabilities early, reduce attack surfaces and better control access to cloud environments.

2. scan open source packages for known vulnerabilities
Modern applications consist of up to 96 percent open source components, many of which have known vulnerabilities. To keep an eye on these, security managers can use databases such as the Common Vulnerabilities and Exposures (CVE). To effectively secure applications, they should regularly scan code libraries, update affected packages and prioritize patches based on risk assessments such as CVSS.

3. check container images throughout the development cycle
Containers offer flexibility, but also harbor security risks. It is therefore important to scan images at every stage of development - from the creation of a CI/CD pipeline to productive operation. In addition, security experts should test unknown images in sandboxes to detect possible malware. As a general rule, only trustworthy sources should be used in order to avoid image poisoning attacks.

4. comply with security practices for version control systems
The security of the supply chain depends largely on the system that manages it - usually a version control system (VCS) for cloud-native applications. Without appropriate access controls and branch protections, an incorrectly configured VCS can become a gateway for attacks. Measures such as the activation of two-factor authentication (2FA), single sign-on (SSO), IP restrictions, the protection of branches against forged commits and mandatory code reviews are therefore essential.

5 Configure CI/CD pipelines securely
CI/CD pipelines are the backbone of code delivery in cloud-native organizations and require special security precautions. Unchecked changes in the processes can lead to credentials being exposed or code being tampered with. Companies can effectively minimize these risks by scanning pipeline configurations, avoiding insecure commands, allowing only limited access to sensitive environments and separating test and deployment permissions.

6 Store and manage confidential data securely
In addition to identifying vulnerabilities, it is important to avoid accidental disclosure of credentials, tokens or keys as they allow unauthorized access to critical systems. Companies should use specialized vaults such as HashiCorp Vault or Azure Key Vault to securely store confidential information. Furthermore, access keys should be changed regularly and a plan for deactivating, revoking and creating new credentials should be implemented. In addition, companies should consider whether they can avoid access keys by using alternative authentication solutions such as OpenID Connect.

7. create end-to-end visibility
Securing the individual components of the supply chain also requires an understanding of how they are interconnected and can potentially be attacked. With the help of a software bill of materials (SBOM) and comprehensive code-to-cloud visibility, security teams can prioritize vulnerabilities and quickly take the right action to mitigate damage in an emergency.

Marc Meckel, Manager Domain Consulting at Palo Alto Networks © Palo Alto Networks

"The security of the software supply chain depends on identifying vulnerabilities early on and protecting all levels - from the infrastructure to the code to the pipelines," says Marc Meckel, Manager Domain Consulting at Palo Alto Networks. "Continuous monitoring and adaptation of security measures is particularly critical. The biggest challenge is often not the implementation of individual security measures, but their seamless integration into existing development processes."