A Multi-Prong Approach to Cyber Resilience Is Necessary
Most companies have targeted different pieces of the software supply chain, focusing on software security, vendor security, or monitoring their applications for malicious activity.
The need for securing the software supply chain is no longer an option. In May 2021, the Biden administration announced Executive Order on Improving the Nation’s Cybersecurity (14028),⁹ which calls for removing barriers to information sharing (Section 2) and enhancing ways to improve supply-chain security (Section 4). Among the improvements, companies must work with the National Institute of Standards and Technology (NIST) and other government agencies to create a plan. Already, NIST has released a draft document¹⁰ that calls for Software Bill of Materials (SBOMs) and enhanced security assessments of vendors. The effort will likely spread beyond the US, as global companies will have to meet the requirements to do business with the government agencies.
Securing Your Supply Chain Requires a Multi-Prong Approach
Just as the software supply chain is an interrelated combination of complex systems, the effort to secure the entire ecosystem requires a multi-disciplinary approach. Companies should bring together teams from software development, operations, legal, human resources, and business to create a holistic approach to producing resilient software.
1
Not just technology, but people and process A single—or even a group of technologies—will not solve any company’s software supply chain problems. An employee culture of embracing cybersecurity along with documented—and constantly updated—processes are both required for the foundation of a secure software supply chain.
2
Protect the software development pipeline While a secure development lifecycle (SDLC) is a start, companies should go beyond a pipeline designed to catch inadvertent vulnerabilities toward a resilient approach that is designed to catch changes by untrusted actors and code that behaves in anomalous ways. NIST published a document to guide developers in auditing their software— the Recommended Minimum Standards for Vendor or Developer Verification (Testing) of Software—which aims to help firms secure software used by US federal agencies.
3
Produce high-quality software Companies need to make sure that vulnerabilities are quickly detected before software is deployed and that patches applied in a timely manner. Static scanners, dynamic tests on staging servers, and interactive application security testing can all help catch vulnerabilities before they debut in publicly released software. Currently, only about half of development teams use software composition analysis (SCA) tools and static application security testing tools (SAST), while fewer—about four in ten—firms use infrastructure-as code (IaC) or web application scanners.¹¹
4
Respond quickly to vulnerabilities Even with overlapping checks and balances, vulnerabilities will get deployed to products and services. In those cases, companies should have a process in place to quickly identify, confirm, and remediate vulnerabilities.
To support a security of the software supply chain, the technology components need to work together. CyberRes has a portfolio of products that are tightly integrated and address the different facets of supply-chain security.