Digital Supply Chain Security From the Ground Up

September 13, 2022

Visibility, control and rapid response are the keys to managing mounting complexity


Supply chains recently took a battering. The pandemic created huge roadblocks, from closed factories in Asia to port facilities under lockdown. Then the war in Ukraine added new logistics headaches and cut the supply of many essential goods from Eastern Europe. The good news is that digital supply chains are not exposed to the same disruptive forces. But that doesn’t mean they are free from risk.


The digital supply chain is a vast and complex web of interconnected components and companies, which represents a growing threat to enterprise security. It’s reported that attacks leveraging this ecosystem surged 300% between 2020 and 2021. Visibility and control across the entire endpoint estate is a must to get a handle on mounting cyber risk.



A Tangled Web

The software supply chain goes way beyond just the code produced by commercial vendors and open-source contributors. It could also include cloud service providers in the SaaS, PaaS and IaaS space, as well as suppliers and contractors for services like software development and data management.


These entities may have multiple partners, who, by association, also become part of the software supply chain. And any one of them may have privileged access to the data and IT systems of their client organizations. That exposes the latter to any vulnerabilities in the former. But because of the complexity of these environments, and the multi-layered relationships between each of the parties involved, a vulnerability or compromise is often only discovered after it’s too late.


We’ve already witnessed the potentially catastrophic impact of software supply chain compromise. In the proprietary world, threat actors took advantage of the trusted relationship between vendor and customer to facilitate the SolarWinds and Kaseya attacks — where malware was hidden in legitimate software updates. The former led to compromise and possible data theft from nine U.S. government agencies, while the latter infected at least 1,500 downstream customers with ransomware.



Shining a Light On Open Source

Organizations face an arguably even bigger threat from the pre-built open-source software that is increasingly used to accelerate time to market. It is estimated that global developers borrowed over two trillion open-source packages or components from third-party ecosystems last year, making the risk very real. According to one study, the average application development project contains 49 vulnerabilities spanning 80 direct dependencies. However, bugs in indirect or transitive dependencies can cause even more pain, as they are harder to spot. 40% of all vulnerabilities were found in these dependencies.


Look no further than Log4Shell to see how damaging open-source bugs like this can be. If security and operations teams can’t find every instance of a piece of vulnerable software in their endpoint estate because it’s hidden in a “Russian doll” of compressed files and transitive dependencies, they will remain exposed to compromise. Open-source use greatly increases the digital attack surface of many organizations. It’s so concerning that cases of hackers proactively inserting vulnerabilities into upstream open-source projects soared by 650% year-on-year in 2021.



Taking Back Control

The challenge for these IT teams is to understand what applications are always running across their expansive endpoint estates, and what components are used inside these apps. They need to be able to scan continuously for vulnerabilities and misconfigurations, which could expose the organization to compromise. They need to be able to find and remediate rapidly as soon as new bugs are discovered. Without platforms like Tanium, they will remain on the back foot. Time to patch for most organizations remains significantly longer than time to exploit.


To get back on the front foot against software supply chain risk, consider the following:


Understand the supply chain: That means all code, files, components and other materials that helped to create the software you’re running in the enterprise, as well as who created them and how well they were scanned for bugs and threats.


Test it regularly: Run vulnerability scans and penetration tests to identify and fix security issues like misconfigurations, poor access policies and software bugs that hackers could exploit.


Adopt strong vendor risk management processes: Conduct continual risk assessments to classify vendors and monitor performance over time and ensure any security gaps in their posture are closed promptly.


Consider air gaps: For highly sensitive IT assets, it may be best to disconnect them from the public-facing internet completely to reduce the risk of remote compromise.


Both the software supply chain and the endpoint estate continue to expand and grow in complexity. Organizations must regain control to minimize cyber risk. That should start with gaining visibility into all assets and finding and fixing problems at speed and scale.

Tim Morris
Financial Services Strategist | Tanium
Tim joined Tanium in May 2021, after retiring from Wells Fargo, where he spent 21 years. He led the Cyber Threat Engineering and Research teams within Information & Cyber Security for the bank.

Tim has worked with almost every facet of computer and network technologies. Concentration has been with endpoint detection & response, systems & patch management, and vulnerability assessment. He has built teams that manage: endpoint security, platform engineering, incident response, digital forensics, and offensive security, i.e., "red team".

Tim was first introduced to Tanium in 2008. However, he didn't begin working with it fully until 2013. Tim was privileged to have the opportunity to be one of the first to deploy & manage Tanium at a large scale on 500K endpoints. At the same time, he was able to build one of the best cyber security engineering teams in the industry. Their effectiveness and efficiency were due in large part to Tanium - The best incident response and system management tool in the industry.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit