In today’s interconnected world, supply chains are more vulnerable than ever to disruptions.
From cyberattacks to geopolitical tensions and natural disasters, a multitude of risks can cause significant disruptions in the flow of goods and services. For example, in March 2022, a cyberattack on a key Toyota supplier forced the automaker to shut down 14 plants in Japan, disrupting the production of about 13,000 vehicles. The attack demonstrated how disruptions at a single supplier could cascade through the entire supply chain, causing significant financial and operational impacts.
The Enterprise Software used by the companies are one of the key targets for the cyberattacks. This ever-growing sector of spending for the organizations is constantly being attacked for the purposes of data as well as ransomware.
A recent example of a software supply chain attack was an attack on polyfill.js. This popular open-source software library was used by numerous web-based software applications. After a takeover of the domain, the provider started injecting malicious code into end-user applications on June 25, 2024. As a result, a security firm reported that 100 thousand sites, some containing sensitive applications and data, were compromised.
To navigate the complex software supply chain landscape, organizations need to adopt a proactive stance on disruption preparedness, leveraging tools like Software Bill of Materials (SBOM) and Pipeline Bill of Materials (PBOM) while developing customized policies that address or mitigate specific cyber risks.
Growing Importance of SBOM and PBOM in Disruption Preparedness
Both SBOM and PBOM are critical tools that help organizations maintain visibility and control over their supply chains.
An SBOM is a structured list of all components, libraries, and dependencies involved in a piece of software. Similarly, a PBOM offers a dynamic record of everything the software has undergone, from cloud to code. Together, these documents are essential for understanding and managing supply chain risks in real time, as they enable organizations to prepare and respond to the disruptions.
SBOM: Ensuring Software Supply Chain Security
An SBOM is increasingly vital in cybersecurity, especially as software vulnerabilities continue to rise since it enables
- Identify Risks: By providing a comprehensive inventory of all software components, an SBOM helps identify vulnerabilities or outdated components that could be exploited.
- Ensure Compliance: Regulatory bodies, such as the U.S. government, have begun mandating the use of SBOMs for vendors supplying software to federal agencies.
- Facilitate Response: In the event of a security breach, an SBOM allows for rapid identification of vulnerable components and facilitates a faster response.
For example, the SolarWinds attack in 2020, where hackers inserted malicious code into software updates, highlighted the need for comprehensive visibility into software supply chains. If more companies had maintained SBOMs, identifying the malicious component could have been faster and more efficient.
Another example on the importance of SBOMs has to do with the discovery of the Log4j vulnerability in late 2021, which affected millions of devices worldwide. Organizations using Log4j in their software had to act quickly to identify and mitigate the vulnerability. Those with detailed SBOMs were better positioned to respond swiftly, while others faced delays in locating affected systems and were vulnerable to suffer significant disruptions once the vulnerability was disclosed publicly.
PBOM: Beyond SBOM
The PBOM serves as a critical tool for both software and supply chain management beyond SBOM. Most critically, PBOM adds focus on the software development pipeline, exposing the artifacts and tools that engineers use to compose applications. By maintaining a detailed inventory of all software components, dependencies and material used in software development, PBOM allows organizations to:
- Observe Software Pipeline Security: PBOM automatically monitors all software pipeline elements, including branches, builds, pull requests, tickets, known issues, and vulnerability management.
- Comprehensive Code Integrity: PBOM reports compliance to the policies ensuring that the software is built from the correct source code and dependencies and confirming that no unauthorized changes are made during the build process. PBOM alerts if any potentially harmful or malicious code is being introduced through a compromised pipeline.
- Auditing Software Lifecycle: PBOM continuously tracks changes in the software pipeline, documenting modifications and tracing each software release from the first line of code to the production environment. The list reported within PBOM includes all version lineage, SLSA.dev, SaaSBOM, security tool results, and build hashes.
Creating Customized Policies for Disruption Preparedness
Organizations must realize that one-size-fits-all policies are no longer sufficient in today’s complex supply chain environment. Customized policies are essential to address unique risks based on industry, geography, regulatory requirements, and the specific needs of the business. Here are some examples of what these policies should include:
- Risk Assessment and Prioritization: companies should conduct regular risk assessments that consider internal and external threats. They should prioritize risks based on potential impact and likelihood.
- Open Source Software: The software development teams will continue to use open source software to accelerate development and gain agility. Creating proper guidelines around open source software utilization and performing regular audits for obsolete or vulnerable versions can reduce the risks and increase responsiveness to the disruptions.
- Incident Response Plans: Customized incident response plans are crucial. These plans should be tested regularly through drills and simulations to ensure all stakeholders are prepared to respond effectively.
- Regulatory Compliance: Different industries and regions have distinct regulatory requirements. Organizations should ensure their policies are aligned with local and international regulations.
Enhancing Disruption Preparedness
Given the increasing complexity and interconnectedness of supply chains, organizations must adopt a multi-layered approach to disruption preparedness. Here are some key strategies:
- Adopt SBOM and PBOM Best Practices: Ensure comprehensive and up-to-date SBOMs and PBOMs are maintained for all software products. Automate the creation and maintenance of these documents wherever possible to ensure accuracy and efficiency.
- Invest in cybersecurity: Regularly update and patch software to protect against known vulnerabilities. Implement advanced security measures such as multi-factor authentication, encryption, and continuous monitoring to detect and respond to threats in real time.
- Strengthen Third-party Risk Management: Develop robust vendor management programs that include risk assessments, audits, and continuous monitoring of third-party suppliers. Consider diversifying suppliers to reduce dependence on single sources.
- Conduct Regular Training and Simulations: Train employees and stakeholders on identifying and responding to supply chain threats. Conduct regular simulations to test the effectiveness of incident response plans.
- Implement Resilient and Agile Policies: Develop policies that emphasize flexibility and resilience. This includes creating buffer stock, diversifying supply sources, and investing in digital technologies that provide real-time visibility into supply chain operations.
In an era where supply chain disruptions can have far-reaching consequences, organizations must take a proactive approach to preparedness. By leveraging tools like SBOM and PBOM, creating customized policies and learning from recent security breaches, businesses can build resilience against future disruptions. The stakes are high, but with the right strategies in place, organizations can safeguard their supply chains and ensure continued growth and stability in an uncertain world