The First Thing about Software Supply Chain Security

The information and data provided below come from our Ultimate Guide to Connected Device Security report. Click here to access the complete report. 

Nearly 70% of organizations surveyed by the Linux Foundation report being very or extremely concerned about the security of the software they use. When that software powers critical infrastructure systems in sectors such as energy, telecom, or health care, the stakes to society rise high.   

Cyber attackers are constantly seeking new entry points when they target their victims. 

Even if you have designed and implemented seemingly impenetrable product security and risk management controls, what about your suppliers? What happens when you purchase products with connected devices, embedded systems, and open-source code manufactured by other organizations or even individuals with smaller or non-existent risk management budgets? In your own product security control processes, do you have to take binaries at face value? 

When you cannot see inside all the components of the products in your asset inventory, your software supply chain risk (and that of your customers too) grows. And so does your risk of a cybersecurity attack.  

"Supply chain risks are the next big thing," says PwC in a recent industrial products publication on manufacturer cybersecurity and supply chain. Indeed, PwC research indicates that 60% of leaders in the manufacturing sector anticipate third-party threats growing this year. Fifty-eight percent expect a growing number of reportable incidents at the software supply chain level. 

What is product security? Supply chain security?

Product security includes the totality of the efforts developers and manufacturers use when they build secure products. Product security represents a critical process when products are created. In other words, it’s not a bolt-on verification added at the end of the process before shipping containers are sealed shut. 

The product security measures taken by each of your upstream manufacturers represent your supply chain security–whether it's good or bad. When your suppliers (and their suppliers) embrace a strong product security strategy, you get a more secure product, whether you sell it as a final product or a component to the final product of a downstream supply chain partner. Regardless, whether you manufacture connected products or buy, deploy, and manage them–you own this risk. Even when third parties introduce product security risk, you cannot outsource your responsibility to find and address it.

Product security cannot exist without supply chain security. Whether you are the first (or only) link in your supply chain, even one vulnerable embedded software stack can make your software highly vulnerable to threat actors. Often, that vulnerability–wherever it lies along that the software supply chain–represents a world of unseen risk, unseen to product security teams, chief product security officers, risk management professionals, and the people who rely on the resulting connected devices to function safely and fulfill their intended purpose. 
 
Among proactive product security tools, most organizations have looked to software composition analysis (SCA) as their cybersecurity focal point for 2022, followed by static application security testing (SAST), and dynamic application security testing (DAST). To build to an optimal product security program, however, organizations must also adopt more comprehensive tools such as:

• Binary Software Composition Analysis (Binary SCA), a technique that helps organizations see inside the unknown binary files lurking within their connected devices and embedded firmware. 
• Device Composition Analysis (DCA), a holistic, all-encompassing product security process that identifies all components within a device, including both hardware and software components. 

What's the risk? How do you know what vulnerabilities lurk within your connected device? 

The best defense against product security risk is a strong product security strategy that spans your connected products, whether you make them or buy them. Vulnerabilities can come from many sources within your software supply chain or even within your own product development processes. These vulnerabilities often remain unseen, hidden within the binaries skipped over by the static and dynamic software testing we have long relied on to keep our products–and the processes and people who depend on them–safe.

Whether the product security risk comes from your own development process or has slid toward you along your software supply chain, the risk of vulnerabilities in the code of your embedded systems and connected devices represents a universe of unseen risk overlooked by many risk management programs–even those well-versed in cybersecurity risk. And when vulnerabilities are not continuously surfaced, they can become threats that expose the assets of an organization to cyberattacks. 

Until recently, many cybersecurity experts downplayed, or even ignored, the risks associated with the firmware that powers all connected devices and embedded systems–even if those risks have raised concerns for years. Today, as cyber attackers seek new ways to find and exploit vulnerabilities, firmware offers a greenfield of opportunities, as threat actors like Russian ransomware group Conti have shown this year. 

In the past, the easiest fix was to do nothing at all–and hope for the best. After all, product security takes time, resources, and people to do right, and, like all controls-based initiatives, it's a cost center that hits bottom lines. On the asset owner side, when you buy an asset and the product security process isn't yours, you may be facing an uphill battle to convince a manufacturer that a vulnerability even exists–-and that they need to work with you to fix it. 

But, with cyberattacks on the rise and bad actors emerging all over the world, we can no longer be complacent when it comes to product security across your software supply chain. In our internet-connected global ecosystem, we must be continuously vigilant against threats from our adversaries. 

Who's most at risk?

Connected device use soared during the COVID-19 pandemic. The average US household now uses some 25 connected devices, including smartphones, wireless headphones, and smart home devices. That's more than double the average number of connected home devices in 2019, according to a report from Deloitte. 

That same proliferation has come to Energy, Telecom, Healthcare and other critical infrastructure sectors of our society. Even with the pandemic-era chip shortage that's slowed the recovery of the IoT market, the number of connected devices is still slated to grow 18% in 2022 to reach 14.4 billion by the end of the year. 

However, while the most common risks facing household IoT devices may materialize into theft of privacy, personal data, or sense of safety and well-being, in America's most critical sectors, the risks can grow far larger. Consider:

• Embedded devices control critical parts of national defense strategies. When embedded devices control missiles and aircraft, the implications of an attack on unseen or misunderstood vulnerabilities could rise to the level of catastrophic.
• Medical devices that regulate and control critical systems of the human body may be prone to cyberattacks as these devices become increasingly connected. The consequences of these attacks could be fatal.
• US critical infrastructure–like utilities, waste treatment plants, and transportation systems increasingly rely on connected devices whose failure could lead to widespread and far-reaching destruction and devastation.  

The risks supporting a strong product security and supply chain strategy may be clear and critical, but when it comes to securing your connected device and embedded systems, where do you start? What are the steps you can take to arrive at connected device security? 

Download the Ultimate Guide for Connected Device Security.