The increasing complexity of software ecosystems and the rising frequency of supply chain attacks make it imperative for organizations to address their software supply chain security head-on.
In March 2023, the U.S. White House introduced its National Cybersecurity Strategy, signaling a significant shift in the landscape of cybersecurity liability. This strategy aims to shift liability for cybersecurity onto software companies, making them more accountable for the security of their products/services and the customers who use them.
A few months later, on July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules mandating cybersecurity disclosures for public companies. This move emphasizes the growing importance of cybersecurity in corporate governance and underscores the need for comprehensive risk management strategies that include software supply chain security.
Your organization’s risk register needs to reflect this.
While supply chain security has been around for a long time, software supply chain security is still a relatively new discipline. Still, it’s one that no organization can afford to ignore.
In recent years, hackers have caused considerable damage by finding vulnerabilities in open-source libraries that many developers rely on. A single compromised library can grant attackers access not only to the core library itself but also to all the applications built on top of it. A fact that was starkly demonstrated with the 2020 SolarWinds breach, which exposed the networks of high-profile organizations, including Microsoft, Intel, and the U.S. Department of State.
And software supply chain attacks like these are only becoming more frequent.
(Source: Usenix)
Because of this mounting threat (and the resulting increase in government regulation), board risk and audit committees must ensure that software supply chain security is included in their risk registers.
While the rising threat of third-party vulnerabilities should be reason enough to consider this discipline in your risk assessments, several other factors are pushing boards to increase their attention to software supply chain risks, namely government regulation and thought leadership in the tech space.
Government regulations
Governments around the world are prioritizing software supply chain security. In May 2021, U.S. President Biden issued an executive order to enhance software supply chain security. This includes requirements for companies selling to critical sectors to provide Software Bills of Materials (SBOMs) and participate in vulnerability disclosure programs (Sec. 4.e.vii–viii).
Additionally, the aforementioned 2023 National Cybersecurity Strategy aims to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity […] onto the organizations that are most capable and best-positioned to reduce risks.”
However, this focus on supply chain security isn't just confined to the U.S. For example, in 2022, Canada introduced Bill C-26, which imposes new responsibilities on software vendors, reflecting a broader global trend toward stricter cybersecurity regulations.
Non-regulating entities are also advocating for better software supply chain security practices, too. Days after the White House published Biden’s 2021 executive order, the Cloud Native Computing Foundation released a 45-page paper detailing software supply chain best practices.
In an accompanying press release, CNCF Security TAG co-chair Emily Fox stated, "it is critical that organizations and open source communities seriously consider not only what their software does but the mechanisms by which it comes to be. […] Now is the time to thoughtfully consider a better, more secure end-to-end architecture responsible for our innovations.”
Two months later, Google introduced its SLSA framework, which “formalizes criteria around software supply chain integrity, to help the industry and open-source ecosystem secure the software development lifecycle.”
Since then, consulting firms such as EY and KPMG have increasingly integrated these and other frameworks into their advisory services. This trend is expected to accelerate, especially in light of the 2023 National Cybersecurity Strategy outlined by the Biden administration. If your consulting firm hasn't yet addressed software supply chain security in your risk assessments, now is the time to prioritize it.
Given the rising threats and regulatory pressures, ensuring that your risk register adequately addresses software supply chain security is crucial. Here are the steps to take:
The risks associated with software supply chain vulnerabilities are too significant to ignore. As regulatory frameworks tighten and cyber threats evolve, ensuring that your organization’s risk register reflects the importance of software supply chain security is essential. By taking proactive steps now, you can protect your code, customers, and reputation from the potentially devastating effects of a supply chain attack.
If you’re looking for a robust solution to secure your software supply chain, Finite State offers comprehensive tools to help you protect your applications from third-party vulnerabilities. Book a demo today to see how our SCA tool can enhance your cybersecurity strategy.