Where is Your Risk? Software Supply Chain Security Weaknesses
In the first two posts of this series on software-related risks we have looked at vulnerabilities introduced in the development phase and vulnerabilities present in open source software. The third major risk area to consider is software supply chain security and the weaknesses in this area.
It’s no secret that software supply chain security is a complex issue, and the supply chain is oftentimes a murky environment that can be prime for vulnerabilities that can potentially impact many organizations. Recent vulnerabilities, such as the Log4Shell bug that impacted Apache’s popular open source Log4j, illustrate the affect such vulnerabilities can have on the software supply chain and the companies that rely on these products.
Why is Software Supply Chain Security Important?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has noted that software supply chain attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure and private sector software customers.
Threat actors employ different techniques to execute software supply chain attacks, CISA said. Three common techniques are hijacking updates, undermining code signing and compromising open-source code. “These techniques are not mutually exclusive, and threat actors often leverage them simultaneously,” the agency said.
As with vulnerabilities in open source software, one of the most effective solutions for dealing with software supply chain risks is deploying the software bill of materials (SBOM), a formal, machine-readable record containing the details and supply chain relationships and licenses of the various components employed to build a software product.
Research firm Gartner in a 2022 report said SBOMs improve the visibility, transparency, security and integrity of proprietary and open-source code in software supply chains. To realize these benefits, the firm said, software engineering leaders should integrate SBOMs throughout the software delivery life cycle.
The most effective SBOMs are those that are dynamic, with the ability to keep up with the frequent changes in the software market such as new releases and components. Organizations should look for SBOM tools that have the ability to incorporate updates automatically as changes occur.
How Software Composition Analysis (SCA) Helps
Another effective tool for addressing software supply chain risk is software composition analysis (SCA), which identifies the open source software in a code base. SCA automates the process of tracking and analyzing open source software components and their dependencies.
The technology is not new, but the use of SCA has been gaining momentum within organizations because of the predominance of open source software in recent years. Many open source components come with known software vulnerabilities, and SCA enables teams to have greater visibility into these components and identify vulnerabilities in open source code.
The technology is important not only for managing vulnerabilities across the software supply chain, but also for ensuring license compliance and code quality. This can be a daunting task when it’s performed manually, particularly given the large and growing amount of open source software. SCA tools automate the process, helping to make sure open source code is secure and reliable.
Among the factors to consider when looking at SCA tools are whether they will scan code in the languages the development team uses, scan source code and binaries, identify open source components and licenses, generate reports that are easy to understand and stay current with the latest security vulnerabilities.