Finite State Blog

Is Software Supply Chain Security on Your Risk Register? It Should Be.

Written by Kelly West | Aug 22, 2024 6:18:47 PM

The increasing complexity of software ecosystems and the rising frequency of supply chain attacks make it imperative for organizations to address their software supply chain security head-on. 

In March 2023, the U.S. White House introduced its National Cybersecurity Strategy, signaling a significant shift in the landscape of cybersecurity liability. This strategy aims to shift liability for cybersecurity onto software companies, making them more accountable for the security of their products/services and the customers who use them. 

A few months later, on July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules mandating cybersecurity disclosures for public companies. This move emphasizes the growing importance of cybersecurity in corporate governance and underscores the need for comprehensive risk management strategies that include software supply chain security.

Your organization’s risk register needs to reflect this.

 

The Growing Threat of Software Supply Chain Attacks

While supply chain security has been around for a long time, software supply chain security is still a relatively new discipline. Still, it’s one that no organization can afford to ignore. 

In recent years, hackers have caused considerable damage by finding vulnerabilities in open-source libraries that many developers rely on. A single compromised library can grant attackers access not only to the core library itself but also to all the applications built on top of it. A fact that was starkly demonstrated with the 2020 SolarWinds breach, which exposed the networks of high-profile organizations, including Microsoft, Intel, and the U.S. Department of State.

And software supply chain attacks like these are only becoming more frequent.

(Source: Usenix)

Because of this mounting threat (and the resulting increase in government regulation), board risk and audit committees must ensure that software supply chain security is included in their risk registers. 

 

External factors pushing software supply chain security into risk registers

While the rising threat of third-party vulnerabilities should be reason enough to consider this discipline in your risk assessments, several other factors are pushing boards to increase their attention to software supply chain risks, namely government regulation and thought leadership in the tech space.

Government regulations 

Governments around the world are prioritizing software supply chain security. In May 2021, U.S. President Biden issued an executive order to enhance software supply chain security. This includes requirements for companies selling to critical sectors to provide Software Bills of Materials (SBOMs) and participate in vulnerability disclosure programs (Sec. 4.e.vii–viii).

Additionally, the aforementioned 2023 National Cybersecurity Strategy aims to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity […] onto the organizations that are most capable and best-positioned to reduce risks.”

However, this focus on supply chain security isn't just confined to the U.S. For example, in 2022, Canada introduced Bill C-26, which imposes new responsibilities on software vendors, reflecting a broader global trend toward stricter cybersecurity regulations.

 

Industry best practices and frameworks

Non-regulating entities are also advocating for better software supply chain security practices, too. Days after the White House published Biden’s 2021 executive order, the Cloud Native Computing Foundation released a 45-page paper detailing software supply chain best practices.

In an accompanying press release, CNCF Security TAG co-chair Emily Fox stated, "it is critical that organizations and open source communities seriously consider not only what their software does but the mechanisms by which it comes to be. […] Now is the time to thoughtfully consider a better, more secure end-to-end architecture responsible for our innovations.”

Two months later, Google introduced its SLSA framework, which “formalizes criteria around software supply chain integrity, to help the industry and open-source ecosystem secure the software development lifecycle.”

Since then, consulting firms such as EY and KPMG have increasingly integrated these and other frameworks into their advisory services. This trend is expected to accelerate, especially in light of the 2023 National Cybersecurity Strategy outlined by the Biden administration. If your consulting firm hasn't yet addressed software supply chain security in your risk assessments, now is the time to prioritize it.

 

How to incorporate software supply chain security into your risk register

Given the rising threats and regulatory pressures, ensuring that your risk register adequately addresses software supply chain security is crucial. Here are the steps to take:

  1. Evaluate Your Current Risk Register:
    Start by reviewing your existing risk register. If software supply chain security isn’t already included, make it a priority to add it during your next risk or audit committee meeting.

  2. Categorize Appropriately:
    Ensure that software supply chain risks are categorized appropriately. For most organizations, these risks fall under operational risks and should be treated as a core aspect of cybersecurity. However, if your organization has a mature supply chain management process, grouping this under general supply chain security risks may be more appropriate.

  3. Require SBOMs from Vendors:
    A Software Bill of Materials (SBOM) provides a comprehensive list of components used in a software product. Requiring your software vendors to provide SBOMs can help you monitor potential vulnerabilities more effectively. Start by requesting SBOMs from your current vendors and incorporate this requirement into future vendor contracts.

  4. Utilize a Software Composition Analysis (SCA) Tool:
    An SCA tool scans your applications for known third-party vulnerabilities. A robust SCA solution, like Finite State, not only identifies vulnerabilities but also prioritizes them, helping your developers address the most critical issues first. 

    Check out our buyer's guide for more details on choosing the right product security solution.

  5. Develop a Plan for Unfixed Vulnerabilities:
    Many organizations have known vulnerabilities in their codebases due to unpatched open-source components or resource constraints. No matter how a vulnerability stays in your system, you need a plan for addressing them and minimizing your risk exposure. 

 

Software supply chain security belongs on your risk register

The risks associated with software supply chain vulnerabilities are too significant to ignore. As regulatory frameworks tighten and cyber threats evolve, ensuring that your organization’s risk register reflects the importance of software supply chain security is essential. By taking proactive steps now, you can protect your code, customers, and reputation from the potentially devastating effects of a supply chain attack.

If you’re looking for a robust solution to secure your software supply chain, Finite State offers comprehensive tools to help you protect your applications from third-party vulnerabilities. Book a demo today to see how our SCA tool can enhance your cybersecurity strategy.