Products for Software Supply Chain Security
As CISOs and CSOs craft or broaden their software supply chain security programs, they will be faced with an overwhelming number of tools in a variety of categories. Even with product consolidation, it may be confusing to figure out what they need in their tech stack.
It’s no wonder–the software supply chain is comprised of code, configurations, proprietary and open source components, libraries, plugins, and container dependencies that are mainly derived from third-party providers. It also encompasses building orchestrators and tools such as assemblers, compilers, code analyzers and repositories, security, monitoring, and logging ops tools, as well as people and processes.
It used to be that threat actors mainly targeted commonly known vulnerabilities in unpatched systems. While this tactic is still used, now they also proactively inject malicious code into products that are distributed throughout the global software supply chain. In the past few years, NIST notes, “these next-gen software supply chain compromises have significantly increased for both open source and commercial software products.”
The Pros and Cons of Open Source Code
Software dependencies are pervasive and it’s not uncommon for projects to use hundreds of open source dependencies—an average of 203 per repository that your developers didn’t write.
Projections have shown that 99% of codebases contain open source code. When you haven’t written the code yourself, you cannot control it, and this is why vulnerabilities in third-party or open source dependencies create significant potential security risks.
If one of these dependencies has a vulnerability, there’s a good chance you have a vulnerability as well. Also troubling is that a dependency could change without a developer being aware. Even if it isn’t exploitable in your application, changes inside or outside of that codebase could make it susceptible down the road.
Given the vast nature of the software supply chain, it is critical to have a protection strategy. Gartner is predicting that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain—up threefold from 2021.
The good news is, organizations are paying attention. Seventy-three percent have significantly increased efforts to secure their software supply chain due to recent attacks, according to Enterprise Strategy Group. This requires an array of tools.
Rezilion’s Guide to Products for Software Supply Chain Security
To help make the process more seamless, we’ve come up with a list of categories and a few tools in each that are must-haves for monitoring, flagging, reporting, and well, overall securing the software supply chain. We’ve chosen them based on reviews and ratings.
The main tool categories are SCA and SBOM, but CISOs and CSOs who want to ensure they are adequately managing supply chain risks should consider tools in other categories we included, such as agentless monitoring, CI/CD pipeline security, SAST, end-to-end security and penetration testing services. We’ve also included explanations of each tool category.
Selecting a Vendor
Security experts say you should look for best-in-breed since it is unlikely that one vendor will have products covering security for the entire software supply chain. It’s important to vet your security vendors, regardless of their size or reputation.
NIST published a guide on managing cybersecurity risk in supply chains, which includes a comprehensive list of sample questions (pages 220-227) that organizations may want to ask when considering different tools.
Among the key questions are:
- Can the supplier provide a list of who they procure hardware and software from that is utilized in the performance of the contract?
- Does the supplier safeguard key program information that may be exposed through interactions with other suppliers?
- Does the supplier have procedures for secure maintenance and upgrades following deployment?
Be sure to check out our product guide for securing the software supply chain.
About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.