Software supply chain security: Finding the weakest link
In today's digital age, software reigns supreme, serving as the backbone of business and innovation for organisations worldwide. It's the driving force behind differentiation, project efficiency, cost reduction and competitiveness. Software dictates how businesses operate, manage relationships with customers, employees and partners, and get the most out of their data.
The challenge is that most software today isn't developed from scratch, or with security front of mind. Whether internally developed ('first-party') or sourced externally ('third-party'), it typically comprises complex combinations of prebuilt code blocks, many of which use open-source libraries and can be of varying age and quality.
In fact, our analysis of over 13 trillion anonymised data points from the 2023 TruRisk Research Report found that 79% of installed servers utilise open-source components.
This reality introduces vulnerabilities into what's known as the 'software supply chain,' presenting a prime target for attackers seeking to exploit weak links to gain access to critical data and systems, particularly in today's multi-cloud environments. It's of little surprise, then, that a recent survey by research firm Enterprise Strategy Group (ESG) found that a staggering 91% of respondents reported experiencing a software supply chain incident within the past 12 months.
Given these risks, safeguarding software supply chains has become more crucial. So, what steps can companies take to defend against software supply chain attacks?"
Internal software management: a vital step in strengthening security
Security teams must first create a comprehensive inventory of first party software that a company has in place, including its different components and versions.
Surprisingly, many organisations struggle to achieve this fundamental level of insight.
Why the gap? Often, due to reliance on manual checks and running disjointed script-based testing to assess first-party software. This approach leads to inconsistent evaluations and missed vulnerabilities, exacerbated by traditional tools' failure to detect embedded open-source packages.
Expanding your security approach to encompass first-party software applications is paramount. By doing so, you empower teams to identify and prioritise risks, laying a solid foundation for robust security measures across the board.
Bills of materials - enhancing security through transparency
Third-party software presents a unique challenge: without ownership, assessing the security risks lurking within is difficult. Enter the Software Bill of Materials (SBOM), a solution gaining traction in the cybersecurity landscape.
SBOMs offer vital insights by listing all components used in an application, empowering teams to identify vulnerabilities and prioritise and manage risks effectively. While still emerging, SBOMs are gathering regulatory support globally.
For example, the Australian Cyber Security Centre (ACSC) underscored SBOMs' importance in its "Guidelines for Software Development", released in March 2023, and the US Government and the European Union have mandates around SBOMs, highlighting their significance in bolstering cyber resilience.
Despite this, SBOMs often languish on the CISO's to-do list amid competing priorities. Yet, their implementation remains pivotal in safeguarding against evolving cyber threats, warranting attention and action from businesses worldwide.
Improving overall processes around security
Like any security endeavour, safeguarding the software supply chain hinges on the data coming in and how quickly that information can be turned into action. However, the complexity of modern software means it's easy to overlook potential vulnerabilities, whether in your own organisation's software or products from other companies or sources.
Enhancing security begins with acquiring comprehensive data. Yet, data alone isn't enough—it must be contextualised to be actionable. Without this insight, prioritising changes within your applications or holding suppliers accountable for updates becomes daunting. Equally, managing potential risks and averting problems before they arise becomes a formidable task.
As such, a holistic approach to risk and software governance is essential. By integrating data on first-party and third-party application risks, your team can better understand the potential threats, identify necessary changes, and facilitate efficient problem resolution.
The turn of technology
Staying vigilant against evolving cyber threats is crucial, particularly amid a shortage of critical security skills.
This is where it's essential to capitalise on technology to automate data gathering, attain continuous insights into your software infrastructure and prioritise risks effectively to stay ahead of potential threats proactively before they escalate.
However, the proliferation of disparate security tools across fragmented environments can lead to confusion as they offer different perspectives on organisational risk, hindering effective risk management and remediation efforts.
What's needed is a unified platform that consolidates data across environments, including multi-cloud, providing comprehensive visibility and context for efficient security issue resolution, facilitating collaboration among security, IT, and development teams, streamlining risk mitigation efforts and safeguarding critical applications.
In particular, modern AI-powered tools can now effortlessly scan open-source software across various compute workloads, significantly reducing supply chain risk by identifying vulnerabilities in multi-cloud environments and facilitating swift issue resolution.
Similarly, cyber security asset management solutions can help address the challenge of managing unknown or unmanaged assets, including software, as well as cloud-based workloads and IoT devices. By leveraging such tools to sniff network traffic, customers have identified an average of 34% more unmanaged and untrusted assets, seamlessly integrating them into their vulnerability management programs with business context and risk assessment.
Final thoughts
In a landscape where supply chain attacks are on the rise, the importance of securing software components cannot be overstated and requires ongoing vigilance and dedication. Businesses must address gaps in supply chain security by adopting a comprehensive approach and fostering a culture of security awareness.
By prioritising supply chain security and promoting transparency and accountability, businesses can fortify their software operations and safeguard against emerging threats in an ever-evolving digital landscape.