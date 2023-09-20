BY Eric Sheridan4 minute read

Organizations that build and deploy products and applications know security needs to play a role in development. But too often, security isn’t integrated soon enough in the development cycle, or engineers are simply deploying too quickly for there to be adequate risk assessment. With malicious attacks on software supply chains increasing 742% since 2019, there are more steps that need to be taken to make sure products are free from vulnerabilities, from code to cloud. Today, ProdSec and AppSec teams are moving toward a more comprehensive approach to security that includes integrating software supply chain security strategies into development from the beginning. But there’s still more work to do in order to build products that are safe and reduce risk for your customers.

WHAT IS SOFTWARE SUPPLY CHAIN SECURITY? All software is built and begins as base code that developers use to create software products. Just as manufacturing has its supply chain that gathers raw materials, constructs them into a product, and ships the product, software has its own supply chain, too. The software supply chain encompasses all the people, processes, and technologies used to write, build, test, deploy, operate, and consume software. Just as manufacturing companies would secure their raw materials and products at each step of their supply chain, so should software developers secure each step of the software development life cycle. Therefore, software supply chain security is all about verifying the authenticity and integrity of everything that goes into creating software in a way that is verifiable by consumers.

One of the biggest reasons for increasing diligence around the software supply chain is that most software today is largely composed of third-party components, not code created from scratch. By using someone else’s code, you’re introducing all the risk that they may have embedded, from code that’s poorly written to undocumented protestware. That’s why software supply chain security needs to cover a product’s raw materials. THE CURRENT STATE OF SOFTWARE SUPPLY CHAIN SECURITY What is the current state of software supply chain security? Are organizations making sweeping changes in how their products are secured, or is this just the beginning of greater awareness around the concept?

In recent years, a number of security-conscious individuals have begun bringing these risks to everyone’s attention. Additionally, the White House has been seeking change through the adoption of a Software Bill of Materials, and a slew of new software vendors are touting their ability to make delivering SBOMs easier for businesses. However, some of the biggest tech vendors, including Amazon, Microsoft, and Apple, have pushed back on mandates to produce SBOMs because of some of the bigger questions that arise with SBOM usage. What is someone expected to do with an SBOM once they receive it? What processes are in place to ingest SBOMs? Are the SBOMs being produced today accurate? How would we know? There are still a number of questions to answer as software supply chain security evolves.

FIVE PREDICTIONS FOR THE FUTURE OF THE SOFTWARE SUPPLY CHAIN There is a lot of momentum behind software supply chain security, but the market needs more time to mature before taking meaningful actions that produce high-confidence results. However, here are five predictions on where the market will go as software supply chain security becomes a more prominent focus of product teams. 1. SBOMS, SBOMS, SBOMS EVERYWHERE!

As mentioned above, there’s a shift toward requiring engineers to produce SBOMs, or an inventory of the components of their software, that can help improve visibility into how that product was made and where its components came from. As we move forward, I predict there will be ample tooling on generating SBOMs, but we’re only at the beginning of understanding the people, processes, and technologies needed to efficiently consume and act on them. 2. REQUIRING ATTESTATION IN CONTRACTS In order for organizations that use third-party software to have a way to ensure their safety, attestation as to the security of your software supply chain could become a contractual requirement in doing business—and complying with an industry-recognized standard such as the SLSA Framework could be just as common tomorrow as SOC 2 compliance is today. Considering that 63% of organizations have no centralized control over third-party relationships, more transparency at the contract stage should help all parties.

3. INVENTORY WITH DEEP ENVIRONMENTAL AND ORGANIZATIONAL CONTEXT Security teams must have the ability to automatically inventory all assets within the software supply chain, with context. This is key to scalability, making informed decisions about risk, and gaining a better understanding of everything you’re seeking to protect. Those who are unable to automate and provide such context may be left behind in a measurable way, as other vendors or teams could bring in the tooling and capabilities to provide those insights. 4. EMERGENCE OF TARGETED DISCIPLINES

As its importance evolves, I predict software supply chain security will be broken up into several more targeted disciplines. There are too many moving parts within the supply chain for it to be addressed by a single type of tool, platform, or even consultancy. Maturity models like SLSA can help tie it all together, but individual practice areas will arise with a deeper level of subject matter expertise required. 5. CHIEF PRODUCT OFFICER WILL OVERSEE Software supply chain security could become a responsibility of the chief product officer under the context of “product security.” In fact, I predict the terms “supply chain security” and “application security” (and, of course, “software security”) will all merge together under the formally recognized discipline of “product security.” Ultimately, “security” will no longer be a separate entity from the product organization. Instead, it will report to the product organization directly.