HPE: Protecting Supply Chain Software from Security Attacks

HPE reveals how it’s helping its customers build resilience from edge to cloud
Over two-thirds of security professionals have been hit by supply chain software attacks as HPE reveals how it’s helping its customers build resilience

Research from Checkmarx has found that 63% of security professionals from the US, Europe and Asia-Pacific have been victims of supply chain software attacks over the last two years. 

Meanwhile, HPE outlines its supply chain security innovation, aiming to enhance its customers’ “trust and resilience, from edge to cloud.” 

Youtube Placeholder

Supply chain software attacks spark concern

Checkmarx’s research found 56% of respondents indicated their organisational applications include open source code packages, with 75% expressing significant concern about the security of their software supply chains.

Nearly 60% of respondents described supply chain software as a priority, whilst 54% are planning to use, or investigating the use of, a solution. 

The report also reveals that although AppSec leaders are increasingly prioritising supply chain software security, their progress remains slow. 

"We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team,” says Amit Daniel, Chief Marketing Officer at Checkmarx.

Amit Daniel, Chief Marketing Officer at Checkmarx

HPE responds to evolving threats

In response to these rising security threats, HPE created a new set of practices to ensure its software is developed to withstand any threats. 

These include:
  • Architectural risk analysis and threat modelling to identify, quantify, and address the security risks associated with an application.
  • Reducing attack surfaces and utilising secure development best practices during software design and development.
  • Static code analysis to confirm the application is free of malicious code on an ongoing basis.
  • Security testing from the inside-out, conducted on all HPE software and firmware, including unit testing, solution-level integration testing, penetration testing, and vulnerability scanning.
  • The company’s employees and software vendors must complete regular training on secure software development policies and requirements.

“Providing more secure products and services to our customers and helping to enable their secure operations is our priority,” adds Niysaan Vlasak, VP of Engineering and Enablement Operations at HPE.

Niysaan Vlasak, VP of Engineering and Enablement Operations at HPE

“We believe that constantly strengthening, improving, and maintaining a more cyber resilient and secure supply chain environment is of essential value to our customers, thereby strengthening their supply chains and daily business operations.

“We will continue to invest in mitigating cybersecurity threats that may impact our products and services throughout the value chain, and we are committed to creating innovative solutions to ensure that our supply chain is more secure, resilient, and transparent.”

In addition to these measures at a development level, HPE also protects its customers through its supply chain operations: 

  • It maintains stringent factory controls, including access controls and physical security procedures, to prevent unauthorised access to the supply chain. 
  • Secure factory transmissions are established for HPE developed and third-party applications, transmitted through secure channels and hosted in a secure environment, continually running virus scans with automatic updates on regularly patched systems.
  • The number of its software build environments has been reduced to help minimise the opportunity for infiltration. 
  • Quarterly assessments of the company’s software suppliers are conducted to ensure adherence to HPE security policies and requirements. 
  • Software bill of materials (SBOMs) are created and maintained with secure system tools throughout the product life cycle. 

Why are these threats rising?

HPE also highlights Cybersecurity Ventures’ research in the report, which estimates that, by 2025, software supply chain attacks will cost the global economy US$60bn, rising to US$138bn by 2031. 

HPE identifies that the rise in these supply chain security threats is due to the increasing, widespread availability of open-source software. 

This, combined with a lack of software provenance, has made software supply chains vulnerable to these cyberattacks.

Common attack pathways include code signing, software updates and open-source code, all of which can lead to damaging consequences for supply chain software providers and their customers’ businesses.

"The complexity of supply chains, built on intricate digital connections, makes them an inherent security risk,” says Oseloka Obiora, CTO of RiverSafe. 

Oseloka Obiora, CTO of RiverSafe

Oseloka concludes: “A supply chain is only as strong as its weakest link and if all parties aren’t monitoring and managing their security risks then each connection becomes vulnerable.”

 ******

Check out the latest edition of Supply Chain Magazine and sign up to our global conference series – Procurement and Supply Chain LIVE 2024

******

Supply Chain Digital is a BizClik brand.

Share

Featured Articles

Uber Freight’s Bid to Advance End-to-End Logistics

Uber Freight's latest advancements include a strategic integration with Uber Direct, modular TMS functionality and flexible procurement software

INVERTO: Red Sea Crisis Forces Christmas Retail Rethink

INVERTO, the specialist supply chain management arm of Boston Consulting Group, has examined the impact that the Red Sea Crisis is having on retail

Major Procurement & Supply Chain Speakers at P&SC LIVE

Don't miss Procurement & Supply Chain LIVE London, a vital forum for professionals eager to navigate the future of supply chains

Major Procurement & Supply Chain Speakers at P&SC LIVE

Digital Supply Chain

Exciting Additions to Procurement & Supply Chain LIVE

Digital Supply Chain

Bayer: Modernising its End-to-End Global Logistics Operation

Digital Supply Chain