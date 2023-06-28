BY Eric Sheridan4 minute read

Software development is happening faster than ever due to the adoption of cloud-native applications and infrastructures—developers may go from code to cloud in a matter of hours if not minutes. However, despite increasing awareness around implementing security practices and protocols further left into the development cycle, there’s often a lack of a comprehensive security approach across the entire software supply chain. A lack of agreement on the definition of the software supply chain can cause security teams to focus on one area and miss other critical ones. By having a better understanding of the components and processes that go into each step of the software supply chain, security teams can create more effective approaches to ensure that vulnerabilities aren’t part of the end product passed along to customers. This starts by knowing what software supply chain security is, and why it matters. WHAT IS SOFTWARE SUPPLY CHAIN SECURITY, REALLY?

Subscribe to the Compass newsletter. Fast Company's trending stories delivered to you daily Privacy Policy | Fast Company Newsletters

When we think about supply chains, we probably picture a manufacturing supply chain: sourcing raw materials, having them shipped to a factory, assembling the parts, and then sending the final product—a car, an airplane, a computer—out to customers. The software supply chain is essentially the same but applied to the creation of software. It encompasses all the people, processes, and technologies used to write, build, test, deploy, operate, and consume software. Just like other supply chains, developers take raw materials in the form of code, assemble the components, and deploy the product for customer use. Software supply chain security, then, is all about verifying the authenticity and integrity of everything that goes into creating software in a way that is verifiable by consumers. This means addressing risk at each step of the SDLC to ensure that every aspect of the final product can be verifiably traced back to its authors and that it is free of vulnerabilities that could be exploited.

Some of the biggest security incidents in recent years were caused by attackers exploiting vulnerabilities in third-party software. The SolarWinds attack was perpetrated through third-party software in recent years, as was the Log4Shell incident. Toyota also experienced a breach this year due to a ransomware attack on a supplier. In 2021, an attack on Morley Companies exposed the information of individuals at a number of Fortune 500 companies, and in 2022, Okta was hit by an attack through a subcontractor that provided customer support services. It’s expected that by 2025, 45% of organizations will experience an attack directed at vulnerabilities in the software that they use. Only 42% of organizations say that managing outsourced relationship risk is a priority in their organization, and only 40% say their policies around using third-party software are sufficient to prevent a data breach. Therefore, comprehensive security needs to be addressed when the products are being developed—or else your software and your customers will be vulnerable to risk and attack.

WHY IT’S CRITICAL TO PRIORITIZE YOUR APPROACH TO SOFTWARE SUPPLY CHAIN SECURITY Here are three reasons why this is critical to your operations. 1. Third-Party Components Can Introduce Risk

advertisement

Software today is largely assembled from various third-party components that other people wrote, most of which are open source. When you elect to use a third-party component, you inherit its licensing requirements and associated risks. If 70% to 90% of your app consists of third-party components—which seems to be the industry average—then you are effectively outsourcing a significant amount of development to people that do not report to you, do not follow your security practices, and have no obligation to respond to your requests for changes and support. This means that security teams need to find effective means of enforcing security and keeping their products safe while using third-party components that they didn’t create. 2. Open-Source Activist Movements Can Introduce Risk

There are an increasing number of activists among open-source developers carrying out their movements—political activism, social justice, and a push-back again mistreatment of people—through their third-party components, introducing not just risk but unwanted political messaging. For example, the “peacenotwar” third-party component contained undocumented code and behaviors such that when it was included in your app, your app would create a file on the user’s desktop with a political message. Other examples include the “faker” third-party component, downloaded 2.8 million times a week, and “colors” third-party component, downloaded 20 million times a week. In response to a perceived mistreatment of open source developers and their community, the owners of these third-party components introduced malicious code that caused apps to get caught within an infinite loop and ultimately crash—effectively a denial of service. This stresses the need for security teams to view third-party components in the same light as we do malware, ransomware, viruses, and trojans in the endpoint security world. 3. Accountability To Customers

Another reason securing your software supply chain is critical is that your customers are going to ask you, “What are you doing to secure your software supply chain?” With attacks like SolarWinds and Log4Shell on their minds, security teams and software vendors are now scrutinizing their own supply chains to try and prevent these tragic scenarios from happening to them. There’s a trickle-down effect here that will ultimately result in your customers asking you what you’re doing with respect to software supply chain security, because software supply chain vulnerabilities can be exploited and used to not only move laterally within an organization but also across organizational boundaries. BETTER PRODUCT PROTECTION TODAY