Software supply chains form a complex ecosystem that allow companies to innovate quickly by using common components. The strength of the ecosystem, however, can also be a weakness if attackers are able to compromise the open-source projects, the resulting components, or the vendors on which companies rely for their software and services.

Software development teams should use information about open-source projects to determine how well they follow software security best practices, monitor the projects for anomalies that could indicate a compromise, and analyze any imported code for vulnerabilities and potentially malicious changes.

Next Steps

Companies should:

  • form a process to generate whitelist request(s) by the application teams and approval for the new component(s) by the security teams
  • form an interdisciplinary team to set policy for using external software in a way that allows innovation but reduces security risk
  • educate themselves on software supply chain risk
  • identify all open-source components used in current software projects to create software bills of materials (SBOMs)
  • determine whether those software projects and components meet the current policy using metrics, and
  • monitor for software changes that could indicate the source has been compromised
  • security advocate awareness towards the approved or whitelist components

Contact us at

Like what you read? Share it.