Recent attacks on Software Supply Chains have resulted in massive impacts on industry and institutions causing damage and loss of intellectual property on a global scale.
Vendors and operators in software supply chains are attractive targets for cyber criminals as a way to infiltrate end user organizations on a large scale.
One of the recent examples of this, the SolarWinds Incident, demonstrated that even large software vendors with a strong cybersecurity background can be compromised, and that most organizations – including Fortune 500 companies and several US federal agencies – simply trust the software they procure and use without verifying its security.
This means that organizations really need a defined approach to ensuring software security. Providers of commercial off the shelf software and custom software, as well as internal development teams need to follow Secure Development Lifecycles to ensure software is secure from the very start. In addition, organizations need to have processes in place to ensure that all software that is procured is secure. The goal should be to have security assurances for all types of software, including commercial and custom software, cloud-based software services, and software embedded in printers, cameras, smartphones, and other devices and things.
One way of approaching this problem is to apply the principles of supply chain risk management to software and IT services. This approach, commonly known as Cyber Supply Chain Risk Management (C-SCRM) looks at the risks in terms of reliability of supply chains as well the potential risks due to misconduct by suppliers and quality issues.
However, because incidents like the SolarWinds attack demonstrate that organizations can no longer have blind faith in software, and because C-SCRM does not identify whether software contains malware or flaws that can be exploited by cyber criminals, KuppingerCole believes it is necessary to go even further and apply the principle of Zero Trust. This requires that no software is used without first validating its integrity and security by using static and dynamic code vulnerability analysis among other checks. KuppingerCole has also developed the concept of Secure Operations & Development of Agile Services (SODAS) to help address the security shortcomings of in-house software development.
Addressing software security is one of the key topics at KuppingerCole’s 2021 Cyber Security Leadership Summit (CSLS) taking place this week, with a presentation today entitled: Cybersecurity in the Software Supply Chain, that looks at the methods used in attacks on software supply chains and how to mitigate the risks.
Supply chain risk is also a topic for one of the exclusive on-site only CISO roundtable discussions at CSLS, with a session entitled: Sophisticated Supply Chain Attacks: How Can We Protect Ourselves?
We must extend the Zero Trust paradigm beyond networks, security systems, and identities and apply it to all types of software. Don’t trust software, period.
— Martin Kuppinger, Principal Analyst, KuppingerCole.
Because we understand how important it is to have a secure software supply chain, and because we are committed to helping your business succeed, KuppingerCole has a range of content available in a variety of formats.
As mentioned above, KuppingerCole advocates applying the principle of Zero Trust to software. For a brief explanation of how to apply Zero Trust to software procurement, have a look at this blog post entitled: The Next Level of Zero Trust: Software Security and Cyber Supply Chain Risk Management, and for another perspective on Zero Trust and software security, have a look at this blog post The Non-Zero Elements of Zero Trust.
Prior to the discovery of the SolarWinds hack, there have been other warnings about the need to introduce C-SCRM, such as the revelation that the German Secret Service and its US counterpart, the CIA, secretly took over a leading crypto manufacturer supplying diplomatic, military and secret services of more than 120 countries worldwide and weakened its algorithms in a way that they were able to decrypt messages without a proper key, prompting this blog post on Why C-SCRM Is Becoming so Essential for Your Digital Business.
Security in the software development process in-house is at the core of the DevSecOps concept, but while this is often discussed, it is seldom implemented, commonly leading to the sub-optimal implementation of security in code, failure to deliver security by design and default, and the lack of consistent Security API layers.
To address these and other shortcomings, KuppingerCole has developed the concept of Secure Operation & Development of Agile Services (SODAS). For an introduction and overview of the SODAS concept, have a look at this blog post on Making DevSecOps a Reality and Going Beyond.
If you would like to listen to what our analysts have to say on this topic, have a look at this presentation on the Necessary Components of Effective Cyber Supply Chain Risk Management to find out more about C-SCRM.
If you would like a summary of the ways the Zero Trust principle can be applied to the software, listen to these Analyst Chats on Post-SolarWinds Software Security Strategies and Applying The Zero Trust Principle To The Software Supply Chain.
Further information about the SODAS concept referenced above can be found 14 minutes into this wider presentation on Multi-Cloud Multi-Hybrid IT: How to Make your Digital Business Fly, the opening keynote at EIC 2021.
The topic of the SolarWinds hack is referenced in this webinar on Effective Endpoint Security With Automatic Detection and Response Solutions and in this discussion on How Can Privileged Access Management Help in Securing the Enterprise?
Software supply security is not only about software products, but can involve individual components of software, such as the application program interfaces (APIs), upon which business interactions increasingly rely.
APIs have become a crucial factor in delivering operational efficiency, scalability and profitability for most businesses, and to read more about the context in which API security can be impacted by supply chain attacks, have a look at this Whitepaper on The Dark Side of the API Economy.
Organizations investing in technologies to support greater software supply chain security, can have a look at some of the related technology solutions that we have evaluated: