For secure software development, having an overview of the components used and continuous monitoring are essential. Josh Lemos, CISO of GitLab, provides tips for "security by design."
Developers need to update their software often hundreds of times daily. This, along with a lack of visibility, can negatively impact the security of the code.
(Image: immimagery - stock.adobe.com)
From the attempted backdoor in XZ Utils to the takeover and subsequent distribution of malware in the Polyfill JS project: attacks on the software supply chain pose a serious challenge for the DevSecOps community. They can surprise even the most experienced experts. These incidents show that attacks on the software supply chain are inevitable and have the potential for serious consequences.
To strengthen their resilience, companies should consider three key components in their software development environments: transparency, governance, and continuous deployment. This way, companies can improve their defenses and reduce the time it takes to recover from the next cyberattack.
Visibility in dynamic systems
A security expert's knowledge of the software systems they protect is usually both limited and time-bound. The information that flows into processes is a snapshot of highly dynamic and complex computer systems, while the snapshots of security controls serve as time-limited references for the security status. Although artificial intelligence makes some security controls more dynamic and flexible, most security boundaries remain static or are based on heuristic approaches.
Conversely, the number of unknowns in large-scale computing environments is almost unlimited at any given time. Code is updated hundreds to thousands of times daily, infrastructure changes can nullify previously defined security boundaries, and upstream dependencies can have massive impacts on security.
To be prepared for the next attack, security experts must monitor their environments in real-time and minimize the number of unknown variables. For example, the use of a Software Bill of Materials (SBOM) is crucial for both commercial and open-source software (OSS). It provides a comprehensive overview of the components used in the software and enables the quick identification of vulnerable components when new threats arise. Such inventories serve as a canonical source for each asset, indexing and supporting extensible APIs and queryable interfaces to maximize their utility and value.
Knowledge about the age of the software in use can also help in developing security measures. Older services are more susceptible to third-party attacks or vulnerabilities because they are not deployed or maintained as frequently. On the other hand, new software is more prone to "first-party" issues like business logic errors or, less commonly, entirely new types of attacks. The combination of new and old software carries risks, especially if security measures have either just been defined or are already obsolete.
Control and management of software supply chains
Understanding a company's software systems is often not enough. Solid governance—a framework of policies, processes, and controls that ensure secure practices and are overseen by company management—is essential for maintaining security measures and accountability throughout the software lifecycle.
When developing "secure-by-design" software, there are several considerations:
Creation of reproducible software and maintenance of service-specific metrics to ensure security
Regular checks to ensure proper security prerequisites are in place,
Use of pre-built infrastructure-as-code templates
Building SBOMs (Software Bill of Materials) that can be used by teams for security operations and vulnerability alerts, as well as appropriate tools
Automation of security checks to ensure compliance with "secure-by-default" principles
Integration of AI validation into the SDLC (Software Development Life Cycle) to increase efficiency, reduce errors, and gain deeper insights into the development process
Implementation of policy-as-code to automate the management and enforcement of security policies for cloud services, applications, networks, and data to ensure consistent and comprehensive security coverage
Design of security boundaries through proper design, limiting areas of failure
Companies could also consider establishing an Open Source Program Office (OSPO) to enhance OSS security. These teams manage OSS usage, monitor security practices, maintain relationships with the open-source community, stay informed about the latest security and compliance developments, and oversee the reliability and security of open-source components.
Continuous assessment anticipates the unknown
Continuous testing and monitoring of a software environment are crucial for a company's resilience against vulnerabilities in the software supply chain. In continuous deployment, code changes are automatically tested and, upon successful passing of the tests, directly deployed to production—often hundreds to thousands of times a day. It goes beyond traditional integration and deployment by automating the entire process to improve software quality and accelerate delivery. However, continuous deployment is only possible if the necessary components for transparency and governance are in place.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
Many developers find writing tests challenging, and test coverage is often less than what would be possible under optimal time conditions. Comprehensive test coverage, including unit and integration tests, ensures that every part of an environment is checked for errors both in isolation and in conjunction with other components. In this area, generative AI (GenAI) can be a great help by automating or accelerating the tedious work. This benefits development teams not only in terms of speed but also through continuous verification of the security and resilience of their software.
The automated review of security boundaries also ensures that they are seamless and well-maintained, serving as the first line of defense against potential breaches. Monitoring production environments can detect discrepancies or unexpected behaviors that might indicate a security issue. Finally, continuous programmatic detection is crucial for the completeness and consistency of inventories.
Build resilience against the unknown
Cyber resilience is a company's ability to adapt and evolve its security posture to stay one step ahead of the next security threat. To be prepared, security experts must ensure that their software ecosystem is well-equipped for effective response and resilience, minimizing the time from identification to resolution of the issue. By acting proactively through transparency, governance, and continuous deployment, companies are better prepared for the next supply chain attack.
About the author: Josh Lemos is CISO and thus responsible for information security at GitLab.
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/28/75/28751a17e2bcca46e53a1e7b8a84c433/schmersal-tiepner-029-6749x3796v1v1.jpeg "Tiepner's compact system produces ID cards made of laminated plastic, which are used as customer cards, ID cards or cheque cards, among other things. Left in the picture: Christian Höltge, Managing Director of Tiepner GmbH. (Image:Tiepner GmbH)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/cb/76/cb76d0c686e8dbc8b0e0b6961e3849c7/0129249515v1.jpeg "The Chinese Ministry of Industry and Information Technology has developed binding standards for retractable vehicle door handles. (Image:BYD)")
:quality(80)/p7i.vogel.de/wcms/42/0a/420a796e6b9d9e3bf27d89d4fe425d84/0129264331v1.jpeg "Polestar presented the new Model 5 live. (Image:Polestar)")
:quality(80)/p7i.vogel.de/wcms/5b/ad/5badd27bd7a5feb1c589b1f3b909da93/sc8-2894-e1770098794852-1200x675v1.jpeg "(Source: Sakari Röyskö | Forum Virium Helsinki)")
:quality(80)/p7i.vogel.de/wcms/78/84/78841963da07ee993f10c21d0e21d5cf/0129237953v1.jpeg "In times of increasingly complex development processes, the digital twin is a key tool for mastering this complexity and implementing products faster. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:quality(80)/p7i.vogel.de/wcms/55/ef/55ef5f4c8983e2b3d68c04ba38b36086/0129197850v1.jpeg "Sodium-ion batteries are suitable as an alternative to lithium-ion batteries, but high storage losses during the first charging cycle are hampering their development. BAM has developed a new core-shell design for anodes for this purpose. (Image:BAM)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/35/bd/35bdd66771f77a6d4d5d2a834f817f8b/0126307887v1.jpeg "In the field of avionics, software is increasingly being utilized. Therefore, the right verification tools play an important role. (Image:freely licensed via Pixabay)")
:quality(80)/p7i.vogel.de/wcms/5d/5c/5d5cad46ecbfea69c8b33701a5e66300/0126664093v1.jpeg "A successful phishing attack has shaken the JavaScript ecosystem. Malware made its way into at least 18 open-source packages distributed via npm, which collectively reach over two million downloads weekly. (Image:freely licensed)")