With developers relying on third-party software more than ever, managing software supply chain risks has become a critical concern. As the development process becomes more complex, incorporating layers of third-party components, the risks associated with these dependencies also increase. While leveraging third-party solutions can accelerate time-to-market, it also exposes organizations to unknown vulnerabilities that need to be proactively managed.
Understanding Software Supply Chain Risks
Software supply chain risks became painfully clear with incidents like the SolarWinds and MOVEit breaches. These attacks demonstrated the profound impact such vulnerabilities can have, affecting organizations across various industries. As Adam Ennamli, Chief Risk and Security Officer at General Bank of Canada, explains, “Virtually every application nowadays is a complex patchwork of third-party components.”
This complexity creates unforeseen risks when open-source components become outdated or vulnerable. Additionally, some open-source projects are deliberately sabotaged, increasing the chances of malicious code infiltrating your software ecosystem.
The Importance of Visibility
Effective risk management starts with visibility. Organizations must track what code is running in their environments, who maintains it, and how it’s being updated. Merely scanning packages is no longer sufficient; understanding the entire ecosystem your applications depend on is essential.
Jeremy Ventura, Field CISO at Myriad360, emphasizes the importance of understanding the flow of data within and outside the organization. This includes asking vital questions such as: Who has access to my data? Where is it being sent? And when is it being accessed? These are crucial concerns technology leaders should address daily to protect sensitive data and maintain trust.
Making Risk Management a Team Effort
Managing software supply chain risks is not a task that can be handled by developers or CISOs alone. It requires collaboration across various departments—security, IT, legal, and development teams must work together to effectively defend against and respond to supply chain risks.
According to Ventura, “Spearheading the program typically falls under the CISO or the security team, as cybersecurity risks should be considered business risks.” However, the responsibility must be shared, as these risks affect many aspects of the business.
Common Mistakes in Managing Supply Chain Risks
One major mistake organizations make is underestimating the risks due to complacency. Believing that “if we haven’t had an issue before, why fix it now?” can be a dangerous mindset. This false sense of security can result in major vulnerabilities going unchecked. Another common mistake is relying too heavily on vendor assessments. While a vendor may claim to be secure, this should never be taken at face value without proper verification.
Failing to address supply chain risks can lead to severe consequences, including data breaches, financial losses, regulatory fines, and reputational damage. A recent case involved a healthcare organization suffering a data breach due to a third-party vendor’s security lapse, leading to regulatory penalties and the loss of patient data.
Best Practices for Managing Software Supply Chain Risks
To effectively manage software supply chain risks, organizations should focus on:
- Visibility into Data: Invest in tools that provide comprehensive software bill of materials (SBOMs) for auditing purposes, and regularly assess risks related to software vendors.
- Cross-Department Collaboration: Ensure security is a shared responsibility across all departments, from IT and development to legal and procurement.
- Automated Tools: Leverage automated or semi-automated tools for tracking dependencies and vulnerabilities.
- Security-Focused Culture: Foster a security-first mindset across the organization, where developers are encouraged to report suspicious packages and security risks.
The Role of SBOMs and Dependency Tracking
Software Bill of Materials (SBOMs) and dependency tracking tools like OWASP Dependency-Check are critical for managing third-party software risks. However, these tools should not be relied upon in isolation. As Joseph Leung, CTO at JAVLIN Invest, advises, creating policies for vetting libraries and performing regular security reviews within the dev pipeline is key to instilling a security-focused culture within development teams.
The rapid pace of vulnerability disclosures can overwhelm teams, but maintaining a comprehensive understanding of the components in use and their vulnerabilities is vital for mitigating risks.
The root cause of many software supply chain vulnerabilities is the lack of visibility into third-party components used across applications. To protect against risks, organizations must implement a combination of tools, processes, and cross-department collaboration. By prioritizing visibility and creating a culture of security, organizations can better manage supply chain risks, protecting their software, data, and ultimately their reputation.
