Digital technology has invaded the supply chain more than many people may notice or realize. Nearly every product or service that comes through a business today has software in it. But software goes out of date quickly, and new attacks and vulnerabilities come to light all the time.
Yet current compliance standards typically call for checking software-based solutions to make sure they are ok just once – on the day that you buy them. At that point, that’s the end of procurement.
Because organizations understand that these things need maintenance, they may also do an audit 12-24 months down the road to ensure that the wheels are still greased and polished, but it’s clear that traditional approaches to protecting fast-moving, highly complex software-driven products and data-driven processes no longer work. To understand and manage your cyber risk, you must do continuous verification of your digital estate – not once a year or once a month, but at least once a week.
Continuous verification is critical because a lack of software supply chain visibility puts companies, their customers and supply chain partners at risk – and that risk is growing. Cyber security approaches based on erecting walls around the IT estate miss a lot of classes of threats, and worse, can even get in the way of keeping up.
Gartner’s “Emerging Tech: A Software Bill of Materials Is Critical to Software Supply Chain Management” report indicates that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. Crucially, the change needed to reverse this trend is for organizations to embrace the principles of supply chain integrity, transparency and trust (SCITT) in their digital and digitized operations.
Here is what you can do to understand and address your own risk and meet new requirements.
Start incorporating SCITT into your other supply chain activities as soon as possible
Don’t delay in implementing SCITT into your lifecycle artifacts, asset handling and decision-making processes. Federal advice from The White House and the National Institute of Standards and Technology (NIST) backs up the need to incorporate SCITT into your supply chain activities.
The first section of the White House’s Office of Management and Budget (OMB) September 2022 memo says that federal agencies are required to obtain a self-attestation, which serves as a NIST Guidance conformance statement, from software producers before using their software.
In addition to existing NIST guidance, NIST’s National Cybersecurity Center of Excellence is developing DevSecOps practices to improve the security of organizations using software and others in their supply chains. The project description notes “the project intends to demonstrate how an organization can generate artifacts as a byproduct of its DevSecOps practices...”
These efforts highlight that the old approach to supply chain risk management is insufficient to address today’s highly complex, diverse supply chain ecosystems and the risks they present.
Use SBOMs to get visibility into your software stack and drive quality assurance
Gartner estimates that 40-80% of the lines of code in new software projects come from third parties. The fact that various software from multiple sources often exists within a single solution can make it challenging to get accurate, complete and current software visibility.
Because vendors often don’t disclose what software lives within their hardware and software, security and risk leaders are blind to their risks. So, when big hacks arise, their only response is to panic and wait for their vendors to inform them. But they no longer need to wait and worry.
Software bills of materials (SBOMs) – essentially software ingredient lists – are an important first step toward SCITT.
The U.S. government popularized the SBOM concept in its efforts to secure software used by federal government agencies and within critical infrastructure. The OMB memo, related to Executive Order 14028, notes that U.S. government agencies may require software producers to supply SBOMs “to demonstrate conformance to secure software development practices.”
And, in general, the visibility provided by SBOMs allow any organization to act more quickly and begin taking control of its own risk relating to the software it uses whilst holding vendors more accountable.
Understand and address the challenges of sharing and identifying relevant SBOMs
SBOMs are of no use unless they are shared. But with thousands of vendors each talking to thousands of customers, getting them all to the right place at the right time is a thorny problem. Email certainly won’t cut it, nor would thousands of different Dropbox accounts.
Getting SBOMs from vendors to customers requires a scalable, reliable and automated approach. To ensure you can automate, require vendors provide SBOMs in industry-standard, machine-readable formats.
Knowing what SBOMs exist and identifying which ones are relevant can also be a challenge. On any given day, you won’t know all the hacks that have occurred, what viruses were discovered and what software needs updating. But you don’t have to chase down the latest details on every one of your vendors. Instead, adopt tools that provide a fast, reliable way to do index searching to find the latest SBOMs for the most current versions of software that you use.
Improve your resilience posture, accelerate operations and then start to get physical
An SBOM provides a point-in-time view of what went into a piece of software at its creation, but it is only the first step to SCITT. Details about where the software has been, who released it, when the release came out, when it was installed and other handling information are arguably more important to supply chain professionals like you as you work to keep your organization safe and pass your end-of-year audits efficiently.
You can’t entirely eliminate software supply chain threats. But you can implement measures to understand what you are dealing with, identify threats as quickly as possible and build systems to be far more resilient to help you survive even the most catastrophic cyber events.
That’s why we’re hearing so much about SBOMs lately, and it is why governments around the world are working in earnest to help establish rules and guidelines to drive supply chain transparency. So, now is the time to evaluate the workflows that will work best for you, seek out third-party experts who can help devise your strategy, and find solutions that will enable you to understand your supply chain risks and how to address them without spending untold amounts of time and money and having to manually verify your compliance and security information.
The need to act is clear when you consider the scale at which software impacts your business operations and deliverables – whether that software is used to run your enterprise applications, power Internet of Things (IoT) devices and related operational technology and enable the products and services that you provide to customers and partners.
If you implement integrity, transparency and trust according to machine-readable standards and work with reputable vendors, you can increase cybersecurity posture, decrease business risk and accelerate supply chain operations by automating away the manual checks, airlocks and break points that exist in today’s unmanaged, invisible world. And you can begin to envision how to apply this model to boxes and containers in the physical world, too.
