Beefing Up the Software Supply Chain for Security

By 
Cassie Crossley
,
and
September 6, 2022

If 2020 went down in history as the year of the Covid-19 pandemic, 2021 could well be termed as one where there were enough hints for cybersecurity to take the driver’s seat in securing the software supply chain. 

Instances such as the Log4J Shell vulnerability and SolarWinds attacks are indicative of the fact that the software supply chain indeed needs a look-in.

For one, software, unlike a physical system that’s done and dusted once it’s out of a factory setting,  is dynamic and needs constant updating. For two, the software supply chain is now largely governed by open-source frameworks, exposing a much larger surface area for potential vulnerabilities. 

Besides telling a story, these incidents offer some hard lessons on the dire need for due diligence in software supply chain management. According to BlueVoyant’s second Annual Global Survey regarding third-party cyber risk management,  a whopping 97% of firms faced negative consequences owing to cybersecurity breaches in their supply chain.

Against this backdrop, it’s probably a good time to take a step back and reflect on what needs to be done beyond just the basics. 

Securing the supply chain

There are different ways to ensure your software supply chain is secure and airtight, including: 

  • Making CI/CD pipelines doubly secure with system permissions, privileges, etc. 
  • Reducing CVEs in container images with regular scanning
  • Scanning for vulnerabilities in app dependencies

But let’s dig deeper and look at two key processes of supply chain risk management in addition to the ones above.

Make use of the SBOM 

In an open-source world, developers tend to fall back on third-party resources to build applications, which could include pre-built components, custom libraries, hardware and infrastructure components, operating systems, packaged scripts and software. This increases the dependencies for organizations on third-party vendors, thus necessitating the need to screen them thoroughly for potential threats and vet them in order to mitigate risks. It is here that a Software Bill of Materials (SBOM) comes in handy. What does one do?

An SBOM is an inventory listing the components within a software package. That would include open source licenses, compliances, dependencies, and so on, which give immense visibility into the software supply chain. An SBOM, thus, can act as a crucial tool to help you achieve greater transparency in the event of a threat. In fact, the Biden administration made SBOM availability for government customers mandatory in 2021, highlighting the importance of cybersecurity in the supply chain.

Implement SCA

Software composition analysis (SCA) is an automated technique to gain visibility into your open-source code right up front. With this, functions such as risk mitigation and management, security, and license compliance become more structured as they are less manually-driven. SCAs are prudent to keep a constant tab on security and vulnerability issues that may arise, driving users to build actionable alerts for newly discovered vulnerabilities in both current and shipped products.

A comprehensive yet cohesive plan that factors in security and a strong collaborative effort between engineering and cybersecurity teams is a great step forward in securing the software supply chain for the future. And the time for that is now.

Cassie Crossley
VP, Deputy Product Security Officer, Product & Systems Security Office Schneider Electric