The software supply chain is ever-evolving. On Episode 32 of The Cyber Security Matters Podcast, we were joined by Luis Rodríguez Berzosa, the Chief Technology Officer at Xygeni, to explore the topic. He’s a physicist and mathematician who brings significant experience to the field of software engineering security, focusing on static analysis and software supply chain security. Here are his thoughts.
How have you seen software supply chain security change over the last 20 years?
20 years is a long time in the IT industry, so our product security has improved a lot in that time. We’ve worked with APB security, position analysis, and static analysis – that’s the API security testing web application firewalls – which nobody uses anymore. Cloud-native protection has been another hot topic in recent years, and there are better mechanisms for patching or avoiding memory-related and other low-level security flows now. However, we are no better at securing the server product itself.
Unfortunately, in the software supply chain, fewer resources are assigned to protecting the server infrastructure at the factory where software is built and deployed. Modern infrastructures have a large exposed attack surface, so the bad guys, who are always motivated to gain the most with the least effort, shifted their campaigns from the better-protected applications to the public packages and even the internal build and deployment systems. They attack the weaker points, so when we protect one thing, the attackers will look for another place to get in. Now they they use the software supply chain as an attack amplifier.
What was your inspiration in founding the business?
In the summer of 2021, we realised that software infrastructure security was lagging behind the rest of the sector. We started defining the project by establishing what exactly the needs were, analysing the potential market and testing what ideas could work. Then in December 2021 came the Log4J vulnerability, which created a shockwave in the entire software industry. That was the push we needed to start to decide to go on. In fact, we had been looking at cloud-native security during 2020 and 2021, but we were out of our element there because we are more traditional guys. With server security, we were at home. So we started with the project and went to market last year. We are now active in marketing and selling the platform.
What are the traditional methods of securing the software supply chain, and why aren’t they enough in today’s environment?
In the past, organisations would compile software artefacts, package them, and then digitally sign them with a code signing certificate for integrity protection. They then deployed them on an update site and were done. Now, attackers can penetrate a build system, inject malware in your software dependencies and embed malicious behaviour in your source code. They have changed their tactics and techniques. All the old methods do not work anymore because the attackers inject malicious code that will pass onto your customers. The problem is that the traditionally simple ways of protecting integrity by cold signing don’t work anymore.
One of the challenges within software supply chain security is keeping DevOps running while not whilst not falling under the supply chain attack. How does Xygeni solve this challenge?
You have to take a look at many different things. You have to automate those checks, compiling inventory and context because you have to know what is going where. You also need an alignment with industry standards because there are so many initiatives, ideas and best practices out there in supply chains. You have to get the best of them and put them on the ground to convert the generic principles into real actionable things.
We have to try to take all the great ideas that are arising and figure out how they could be used in the real world. We put the emphasis on topics that we feel offered the best cost-benefit trade-off, such as detecting unusual activity or misconfigurations in real time. Our business is mainly international organisations who want to create software, but they feel they don’t need to secure the infrastructure. That means that features like semi-automated guidance will resolve a problem for them. They are looking for things like automation workflows and so on, so we try to provide them in our platform. Our focus is on helping users cope with a huge number of issues and the complexity of modern software.
To hear more from Luis, tune into Episode 32 of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
