Blindly Trusting Software Dependencies is the Opposite of Zero Trust
Trust should be earned, yet, too often, we place our trust blindly.
Software is one such example. Attacks like SolarWinds, and the vulnerability discovered in the Log4j open source library should serve as the wake-up call for developers that the software supply chain is vulnerable.
There are too many players in the open source supply chain, which has become
increasingly interconnected and complex, and attackers are scarily good at finding
openings in the nooks and crannies.
Zero trust says no more. The principle of never trust, always verify, treats every user and every device as a potential threat. If you want to become a true zero-trust organization, your security teams must manage their software dependencies the same way.
In Supply Chains, We Cannot Trust
Studies show many are still ignoring the very real possibility that not all third-party
providers in the software supply chain are doing their due diligence — and aren’t
treating the risk of breaches as a big concern. That needs to change. Pronto. Time and
again it’s been shown that people are a weak link, and so too, are the systems we build with code that may or may not contain vulnerabilities.
It’s a critical time to consider zero trust with more data being stored in the cloud and
countless remote workers logging onto corporate networks from home. McKinsey
is projecting the zero-trust security sector will reach $51.6 billion in 2026, compared
with $19.6 billion in 2020.
The factors driving the market are the rise in cyberattacks and more regulations to
protect data and information security. The European Union Agency for CyberSecurity
is predicting that supply chain attacks will be four times greater in 2021 than in 2020.
The complexity of these attacks demands new protective methods that incorporate
suppliers into the mix to ensure that organizations remain secure, the ENISA said.
Vendors Need Greater Security Scrutiny
With that in mind, stop making assumptions and protect what is within your control.
Vet your software suppliers and vendors and define security standards that they need to adhere to.
Start with a Dynamic SBOM, which provides a definitive record of the components used to build a software product, including open-source software. Because it is dynamic, it can be constantly updated and changed.
When selecting software, don’t base the decision on cost and functionality alone. A
vendor’s security posture should be a top consideration.
It is also important to know whether a supplier has disclosed past security breaches,
what steps they take to mitigate risks in their code and whether the supplier can
demonstrate their commitment to security best practices with audit reports.
Further, scan open source software for known vulnerabilities and remediate with
Don’t forget about your internal data – encrypt it with the Advanced Encryption
Standard (AES) algorithm. It’s used by the U.S. government—if it’s good enough for
federal agencies, it should be good enough for your business.
Robust zero trust is implemented through the use of tools and techniques such as multi-factor authentication and identity and access management (IAM), and by hardening the network through micro-segmentation, endpoint security and least privilege controls.
Everyone operates under time pressures and speed to market. But it is no longer viable to cut corners and think if you’re doing something, your software supply chain won’t be a target. Trust us on that.
Ensure Your Software Supply Chain is Secure with Rezilion
At Rezilion, we believe the future of vulnerability is about solving vulnerabilities, not just uncovering them. Our holistic approach to vulnerability management is a complete answer to the complexities of security in the software stack. Rezilion’s full platform is available now, free for 30 days, with a dynamic Software Bill of Materials (SBOM) in CI. Get started today at www.rezilion.com/get-started.