Conclusion
Software supply chains form a complex ecosystem that allow companies to innovate quickly by using common components. The strength of the ecosystem, however, can also be a weakness if attackers are able to compromise the open-source projects, the resulting components, or the vendors on which companies rely for their software and services.
Software development teams should use information about open-source projects to determine how well they follow software security best practices, monitor the projects for anomalies that could indicate a compromise, and analyze any imported code for vulnerabilities and potentially malicious changes.
Next Steps
Companies should:
- form a process to generate whitelist request(s) by the application teams and approval for the new component(s) by the security teams
- form an interdisciplinary team to set policy for using external software in a way that allows innovation but reduces security risk
- educate themselves on software supply chain risk
- identify all open-source components used in current software projects to create software bills of materials (SBOMs)
- determine whether those software projects and components meet the current policy using metrics, and
- monitor for software changes that could indicate the source has been compromised
- security advocate awareness towards the approved or whitelist components