Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
October 16, 2023
There’s been increasing concerns over software supply risks the last couple of years. However, concern about inadequacies of software suppliers’ capabilities to build and deliver secure software isn’t new.
In the late 2000s, the U.S. Department of Homeland Security’s Build Security In initiative had a working group that I co-chaired on this topic. The intent of the working group — which included representatives from industry, academia and government — was to help acquirers buy software that was more resistant to attack, had fewer vulnerabilities and minimized operational risks to the greatest extent possible. Looking back on my 2007 presentation, you can see things haven’t changed much, though the use of open-source software (OSS) has exploded since then.
While cybersecurity practitioners like me tried to address software supply chain risks in the past, we honestly didn’t get much traction. What we lacked were significant, highly publicized, triggering events to motivate change in the software buyer’s behavior. That’s changed due to some significant supply chain-based attacks and zero-day vulnerabilities. A great example of why the issue can no longer be ignored is the SolarWinds Sunburst attack.
The SolarWinds attack was strategic. With over 75% of the Fortune 1000 as customers, attacking a company like SolarWinds, in turn, took out not only them but impacted the thousands of customers that used their system. Often overlooked software tools and systems that, if attacked, could have a major impact on an employee or client base.
So, how are decision makers reacting? Research from Pulse showed that 29% view securing their software supply chain as a very high priority, whereas 42% believe that OSS is the primary entry point for attackers.
This reuse of code has major benefits for the software industry, reducing development time and costs and allowing developers to add functionality faster. However, it also generates major vulnerability management problems due to the complex system of dependencies that are often hard to track. If these software artifacts are consumed without proper security vetting, the developers are unintentionally introducing risks to their software.
As a result, developers can be unintentional insiders by consuming insecure OSS components or libraries. Vetting OSS with manual methods doesn’t scale to keep pace with development. You need transparency and an automated method to assess risk of these components. This enables development teams to continue to use OSS but do so safely and at the velocity they need.
External threats, like the Sunburst threat actor, target the intentional injection of malicious code into dependencies. The attacker targets a software supplier, but the attack affects its customers.
A report by the European Union Agency for Cybersecurity formally defined the four key characteristics present in a supply chain attack to include:
It’s understandable as to why securing software supply chains is one of the trends that we continue to see as a driver in application security.
Given the increase in intentional and unintentional threats to the supply chain, development management should establish governance practices that help ensure that software supplied to their customers isn’t a conduit for malicious or vulnerable code. Many organizations are establishing formal cyber supply chain risk management (C-SCRM) programs to manage and measure OSS component and software supply chain risks.
A new driver to create C-SCRM programs is in the Rev5 of the U.S FedRAMP program requirements. Rev5 calls for implementing a SCRM process that involves scrutinizing vendors and sources of hardware, software and firmware to ensure that counterfeits and adulterated products are not used in the CSP’s cloud system. I think we are going to see other regulatory bodies start pushing for greater risk management in software (and other) supply chains, so we need to be prepared.
Follow these links for more information on ways to understand and protect against supply chain attacks:
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.