Exclusive article from Synopsys: Eliminating weak links in the software supply chain
Cybercriminals are always on the lookout for new ways of entering a company’s network to either gather data or harm the target. They often think the supply chain is a good target to look for possible holes through which they can attack.
Cooperation, communication, and exchange with other parties (be they suppliers, resellers, or customers) are mandatory elements of the supply chain. Thus, they offer promising ways into the system for cybercriminals to exploit. I am referring not only to the technical side of the equation, in which attackers focus on vulnerabilities in software, but also to the social aspect of the entirety of the supply chain system, in which people are an attack vector.
Let’s take the software supply chain as an example. Software is an integral part of almost every company. Additionally, software is present in many different parts of every company. It exists in operating systems, browsers, and email clients. Software also comes with the hardware that companies use in production (e.g., AI-driven robotic machines) and the hardware IT services use to provide the company’s security mechanisms (e.g., firewalls and networking appliances with real-time analysis capabilities where, again, AI plays a big role). Such software products are potential weak links that an attacker can use to breach a company, circumventing its protection mechanisms.
Companies usually deal with this risk by not allowing critical machines to connect to open networks. This minimises the risk of an internet-based attack. In addition, firms should buy software and hardware only from trusted vendors. In these cases, interested firms should also perform a pre-sale compliance check. It’s critical to educate employees (and in some cases suppliers and customers as well) on the potential risks of using the software and the protective measures they can take.
Even though this already seems to be a known and well-established process, I still see areas in which organisations do not follow such best practices as closely as they should, if at all. I usually see the largest disconnect in areas relating to software development—areas in which the company is creating software for internal or external use.
Organisations also need to follow security standards to ensure they provide customers with stable and reliable software. The question then becomes how to make sure they follow this process and how to enforce these procedures. This is where the security problem persists in software development, where many loopholes tend to be present.
For example, imagine where software development was a few years ago and where it is today. In the past, it was normal to develop your own proprietary code completely in-house. You may have had external partnerships with companies that developed certain functionalities, but those cases were rare and could be easily controlled. Today we use a mix of proprietary code and open source software in which the usage of open source can reach 97 percent.
Related stories:
Sycamore Partners secures $1.2bn for Essendant acquisition
Systech updates cloud traceability solution to secure barcode scanning throughout supply chain
Contribution from BitSight: Securing your company’s supply chain with objective information
Even though the development landscape has changed, we still need to achieve and maintain the same level of security. Let’s also consider how development changed over the years from a waterfall approach to agile. If we then take into consideration other methodologies, such as DevOps, used alongside the newest technologies (e.g., containers), we face real problems when trying to spend our efforts and resources efficiently to minimize the risk of a security breach through planning, vigilance, and gathering information about the software we are developing and the components in use for development.
Don’t let this discourage your use of open source or exploration of new technologies. You will not solve the problems by closing your doors and working in isolation. Your company will lose not only the velocity required to be constantly evolving in the modern age, but also the competitive edge that progressive technologies and open source can bring you.
Cloud computing has advanced the way companies operate today. It has opened possibilities for better cooperation internally and externally, higher scalability, increased responsiveness, and lower costs. It also gives organisations the potential to be more competitive in the market. The use of open source components brought speed and agility to parts of development that were either not available to some companies previously or not even reachable owing to missing knowledge and focus. Open source and software integration into hardware like welding machines now also uses technologies like AI and ML for performance and usability.
Do not fear change. Accept it, embrace it, and find a way to infuse it into the required planning, vigilance, and information you need to follow the software development process and its supply chain. Implement a strategy to identify untrustworthy source code, no matter whether you’re dealing with proprietary code, the code of your suppliers, or open source code.
Source code can be complex. Bugs, reliability concerns, and security issues are nothing unusual. If you expect them, you can find a way to identify them and remove them. Therefore, you need a vulnerability remediation strategy throughout the process—all the way from the development stage through the software’s release. The crucial takeaway here is that you must take security seriously and integrate it into every step of your development process.
When you eliminate the weak links in your supply chain and prevent attackers from circumventing the security controls and processes in place, you can ensure that cybercriminals will have a hard time accessing your valuables, and you will be keeping your company, partners, and customers safe. This way you will gain their trust, and in the end, this is what matters the most.