An SSC is every third-party element used by a software manufacturer to create and deliver their product. This includes, but is not limited to, the following:

• The operating system(s) and hardware: These include workstations, servers, storage, network switches and routers, Windows/Mac/Linux embedded systems, and infrastructure as a service (IaaS).
• Software for creating and building software: This includes editors, languages, compilers, plugins, libraries/frameworks, task runners, and build systems.
• Software providing services to software: In this category, you have databases, APIs, software as a service (SaaS), platform as a service (PaaS), and backend as a service (BaaS).
• Tools used for tracking and enabling work: These are tools that support version control, ticketing, messaging, and collaboration.
• Tools for delivering software: These include file transfer, server software, containers, container orchestration, and monitoring...

In the complex landscape of modern software development, security threats are ever-evolving. As software systems increasingly rely on third-party components, external updates, and extensive code repositories, the potential attack surface grows, presenting significant challenges to maintain security and integrity. This section delves into several critical security scenarios and outlines proactive defenses to mitigate these risks.

Compromise of third-party components

Third-party components, such as libraries, frameworks, and packages can become dangerous if a threat actor is able to do one of these three things:

• Inject malicious code into the one you use
• Use a deceptive variation on that third-party component’s name, so you end up using a component the threat actor controls instead of the one you usually use
• Use a known vulnerability in a component that has not been patched (or you have not updated to the...

There are multiple approaches and tools in threat modeling, but at its core, there are three main areas: mapping data flows, analyzing attack surfaces, and assessing the impacts of failure.

The Open Web Application Security Project (OWASP) has a three-step threat-modeling process:3

1. Decompose the application.
2. Determine and rank threats.
3. Determine countermeasures and mitigation.

Decompose the application

This starts with understanding the use cases for the application. For example, with a game, one use case might be to play the game, while another might be to top up tokens from the in-app store.

Then, identify the entry points where an attacker could interact with the application, resources, and assets that would be of interest to an attacker, and the trust levels and access rights the application grants to external entities such as users, tech support, moderators...

While threat modeling is a technical activity that is more objective in nature, using risk assessment is more subjective and tied to your priorities, needs, and sensitivities.

Integrating risk assessment to rank the threats

Risk assessment takes two main vectors into account—likelihood and damage:

• Likelihood: How likely is the threat to manifest? This takes into account how prized the result will be to an attacker and how easily they could get that result given your current defenses.
• Damage: What would be the actual impact if an attacker successfully manifested the threat? Would it create additional threats? Would it expose anything of value to theft or discovery?

An example of a common threat is an automated “bot” filling out and submitting a form to register as a website user.

For example, a decade ago, it was easy for people to buy tens of thousands of followers on social media sites to make themselves look influential...

Most of the SSC discussion to this point has been conceptual. The next section will highlight some examples of attacks on the SSC to illustrate how they can happen and the damage they can cause.

PHP: No harm, but foul

Based on a multi-year tracking survey by W3Techs, the PHP programming language was the backend language for over 80% of websites from 2014 to 2018, a figure that was still above 75%, as of February 2024.6

As mentioned in Chapter 1, Git is a protocol and system for source code management and version control. GitHub neither invented it nor owns it, but they are the most prominent commercial host of it for developers around the world.

PHP is an open source project hosted on its own Git server. In 2021, the server was breached and two backdoors were not only inserted in the source code for the programming language, but they were committed under the...

It’s not just our world that’s interconnected; our software is interconnected in ways few outside the industry can really grasp. Open source is not limited to big monoliths such as the WebKit browser engine, Linux, and the Apache web server. It contains packages that are dependencies for your dependencies, such as Log4j and left-pad.

Supply chain attacks can poison or infiltrate dependencies, browser and IDE plugins, source code management, build systems, testing tools, monitoring tools, and more. Attackers are opportunistic and find entry through probing, testing, phishing, and poisoning, to name a few.

This is why the SSC is something to consider at every stage of the SDLC, from gathering requirements to deployment and monitoring. Now that you understand the importance of the SSC, you’ll explore ways to secure it further in this book.

The next chapter will go deeper into methods of attacking and protecting one of the foundational elements of...