IT Briefcase Exclusive Interview: How to Secure the Software Supply ChainFebruary 23, 2022 No Comments
- Q. How are the risks to the software supply chain evolving?
COVID-19 fundamentally changed the way we live and work. It also changed how companies engage with, sell to, and keep customers; and greatly accelerated the move to the cloud for many organizations. Because of this, the digital supply chain is more important than ever, but it’s also facing greater threats. Industry reports show that nearly two-thirds (64%) of organizations have been impacted by a software supply chain attack in the last year.
2021 was loaded with major cybersecurity attacks. In January, organizations were still addressing the ramifications of the SolarWinds attack when the hacking of the Microsoft Exchange became public. May brought the attack on Colonial Pipeline, highlighting the risks to US infrastructure. And in December, a zero-day vulnerability in the popular Apache Log4j open source logging library used in nearly every enterprise app was disclosed; the full impact of the resulting exploits isn’t known yet. And these are just the highlights—truly the lowlights, if you will.
Risks are prevalent and bad actors are poised to step up exploits in the coming year, but most teams lack the resources, budget, and knowledge to manage a crisis. As the use of third-party and open source software (OSS) increases, it means that software suppliers may be bringing risks into their own software, while also passing it to downstream partners and customers.
- Q. How aware are software companies of the risks they face?
Unfortunately, there’s a significant gap in awareness between what companies believe to be in their code and what’s actually there. The Revenera 2022 State of the Software Supply Chain Report—Revenera’s global, cross-industry analysis of data from open source audit projects conducted in 2021—evaluated more than 2.6 billion lines of code and found that companies are only aware of 17% of the open source components they use. Now, 17% is a huge increase year-over-year, but is still quite low.
The most severe P1 issues, which represent critical licensing or security threats, and require immediate remediation, grew 6% over the past year. Lower priority issues also surged at even more stunning rates. P2 issues, which require a plan to resolve issues after P1 issues have been addressed, grew by 50%; the lowest risk (P3) issues grew by 34%. The plane for risk is broadening, due to the growing prevalence of OSS and because the average number of dependencies is significantly increasing in popular ecosystems. Unless a company knows what’s in its code, it’s impossible to identify and mitigate risk.
- Q. How do SBOMs come into play?
A software bill of materials (SBOM) is the key artifact for an open source governance process. An SBOM is a complete, accurate inventory of what’s in code. It includes information such as the component and version, the driving license, and provenance details to track dependencies and bundled items to their origin for remediation purposes. Once you have the SBOM, you can then assess the known associated security vulnerabilities, at a given point in time, for both relevance and impact to your application.
Interest in and demand for SBOMs grew dynamically in 2021. This interest came from a broadening array of stakeholders and regulatory requirements such as the U.S. government’s Executive Order on Improving the Nation’s Cybersecurity and many industry-specific mandates, including the FDA for healthcare, NHTSA for automotive, NERC for energy, and several others. Furthermore, an increasing number of companies are starting to demand an SBOM from their software suppliers with each application release and, in some cases, are requesting new terms to be written into commercial software contracts to provide greater software supply chain transparency and remediation timelines in hopes of improving application security. Having a published SBOM, providing timely disclosures for compliance issues, and published remediation SLAs will most likely become the norm rather than the exception.
The approach to building SBOMs is improving with automated, collaborative, and dynamic processes and as formats for creating and sharing SBOMs become standard. Three key industry-accepted formats that organizations through the supply chain can use to share information about their SBOMs are Software Package Data Exchange (SPDX),CycloneDX, and Software Identification (SWID). Creation of an SBOM is aided by a comprehensive software composition analysis (SCA) tool, which identifies open source and third-party components and alerts for license and security compliance issues based on defined policies.
- Q. What are some best practices for software supply chain management.
There are half a dozen important things to do for software suppliers—including device and IoT manufacturers:
1. Understand the construction of the software pipeline. Know how software sources, components, and packages gain entry.
2. Produce a complete and accurate SBOM, which may require several phases. It must include all top-level components, sub-components or bundled packages, and all direct and transitive dependencies, along with the associated licenses. Along with the SBOM, a security snapshot report is required to evaluate the security risks at a given point in time.
3. Minimize and mitigate risks associated with OSS by shifting vulnerability management and license compliance left for early detection.
4. Make the initiative enterprise-wide with executive buy-in; focus on strong collaboration between your legal, security, and product teams. An Open Source
5. Program Office (OSPO) and/or an Open Source Review Board (OSRB) can be instrumental in developing, communicating, and operationalizing your open source strategy.
6. Set your product teams up for success via ongoing education for security vulnerability and license compliance management.
7. Use an SCA solution that identifies security and license compliance issues in your applications.
Organizations that invest in company-wide policies, continuous assessment, SCA solutions, and corporate compliance programs are best able to quickly respond to risks and customer requests. Putting these best practices in place protects against risks in the software supply chain, while strengthening business operations. This can be particularly important for merger and acquisition (M&A) events, for example, where it’s crucial to demonstrate complete risk profiles, forensic reports, and remediation assessments. M&A activity grew significantly in 2021 (from $3.8 trillion in M&A transactions in 2020 to $5.1 trillion in 2021). As this trend continues into 2022, executives will be wise to secure their place in the software supply chain to help strengthen their business standing.DATA and ANALYTICS , DATA PRIVACY, DATA SECURITY, Fresh Ink, MOBILE DATA, SOCIAL BUSINESS