Chapter 5. Source Code, Build, and Deployment Management

The true core of software supply chain security is the integrity of the product or application itself. From the moment one line of code is written until its delivery, there is risk of compromise. This compromise can come in the form of altered or injected code, malware, poor coding, weak build practices, and unverified deployments.

The development, build, and deployment processes are where the most well-known software supply chain attacks have occurred, at SolarWinds and Codecov, which are both described in more detail later in the chapter. Not only were their infrastructures compromised, but the attackers compromised their applications to gain access to many more customer organizations. The industry has reacted by focusing on improvements in the source code, build, and deployment processes.

This chapter will discuss the details of source code, how to improve code quality using secure coding standards and tools, the management processes, and integrity throughout the processes. The good news is that the controls in this chapter are not difficult to implement and will greatly increase the security posture of products or applications. Many of these controls build upon the infrastructure security controls in Chapter 3. The build and deployment processes in this chapter focus on more traditional products and applications. Therefore, refer to Chapter 6 for a discussion on cloud processes.