The new rules of software supply chain security: visibility, vigilance, validation

2 hours ago 4

The global digital economy runs on a thriving ecosystem of third-party vendors, enabling organizations to scale and innovate faster than they possibly could do on their own.

This digital ecosystem is teeming with software suppliers, not just business software that you can buy but also a vast array of software libraries that are embedded in third-party products.

Speed, however, can sometimes be the enemy of risk, as many organizations have not adequately validated whether these third-party technologies are sufficiently safeguarded against cyber threats and other digital risk.

Information Security professional and CISO at ISC2.

So, while software is a great enabler, it also brings risk, given that it often is built with frameworks and libraries that are not known or well supported.

Consider that companies employ an average of 106 SaaS apps within their IT environments , and the picture becomes quite clear: software supply chain security is a serious concern.

It’s no wonder that half (51%) of participants in the latest Supply Chain Risk Survey ranked software vulnerabilities in supplier products as the most disruptive cybersecurity threat to their organization’s supply chain, behind only data breaches (64%) and malware or ransomware (52%).

An ever-changing attack surface that comprises cloud services, micro-services, APIs, SaaS platforms, third‑party services and now AI agents has expanded well beyond what once was an understood perimeter before widespread digital transformation took hold.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

How secure is your own extended digital ecosystem? If this question makes your heart race, then take a closer look at three key considerations for addressing software supply chain security.

1. Visibility: Determine what’s actually in your multi-layered supply chain

Since the software supply chain is part of a vast, interconnected digital ecosystem, organizations likely do not have full visibility of what and who make up their third-party providers. Recent high-profile incidents have signaled just how fragile supply chains can be.

Assuring business continuity requires organizations to scrutinize partners before placing such deep trust in them. That effort starts with knowing who is in your interconnected digital ecosystem before you can start to manage the risk.

Understanding risk across a supply chain is conceptually easy, but it is practically difficult. While clearly outlining security parameters and requirements in supplier contracts is a great starting point, it is not enough, as contracting is generally a point-in-time activity and should be paired with monitoring. You must be able to see and measure software assets so you can better manage them.

After all, you can’t protect what you can’t see, and many businesses still don’t have a complete, accurate asset inventory, meaning that their vulnerability exposure is incomplete. If you don’t know what systems, apps, devices and libraries are in your environment, vulnerability management is supposition, inference and guesswork.

It is crucial to understand what your suppliers are doing both upstream and who you supply downstream, because their decisions are now part of your organization’s own risk profile. Software often presents the biggest blind spots in asset management, thanks in large part to a lack transparency in software build and dependencies, shadow IT, shadow AI and unmanaged endpoints.

An organization's exposure is tied directly to the security posture of every supplier they rely on. Attackers know this, increasingly targeting upstream or downstream partners. You can secure your own environment perfectly and still be vulnerable through others’ oversight. Tools that can profile, quantify and score risk across the supply chain, therefore, are essential, as is tooling that monitors for unusual activity.

2. Vigilance: Prioritize the security of AI integrations across your software supply chain

Threats can lurk anywhere and everywhere across your supply chain. But there’s a new kid in town: AI. The software supply chain has expanded to include the unique risks of AI ecosystem, such as reliance on external foundational models and highly connected agents.

This escalating integration of AI tools makes the multi-faceted software supply chain even more of a concern. Cybersecurity professionals who participated in the latest Cybersecurity Workforce Study revealed a troubling AI-related security event their organization experienced in that prior year: data poisoning (cited by 11%).

Data poisoning happens when bad actors intentionally insert corrupted, misleading or malicious data into the training dataset of a machine-learning model. Even a small amount of poisoned data can change the model’s behavior, in turn resulting in misclassifications, degraded accuracy or malicious outcomes. So suddenly that seemingly helpful ChatBot that is embedded in your CRM, CMS or other purpose-driven enterprise software may not be so friendly after all!

Indeed, organizations simply have little / no control over the software that suppliers are using, making it much more difficult to ensure vulnerabilities are identified before widespread rollout, as well as supported and patched once deployed, but they do have control over scrutinizing suppliers.

Therefore, the people on your security team and the processes they follow matter more than ever. Technology accelerates both sides of the fight, so your real advantage comes from having skilled practitioners who understand how AI changes your risk profile, attack surface and can put the right controls in place to compensate.

Cybersecurity professionals who specialize in software supply chain security can quantify the risk of model poisoning / steering, prompt injection and model inversion, and assess the inherent bias of pre-trained open-source models, protecting the integrity of software and services from upstream vulnerabilities. Such a holistic approach ensures that every component, from third-party libraries to the training data itself, meets the organization’s security and ethical standards.

In addition, reviewing and evaluating vendor agreements is an important task for cybersecurity teams and stakeholders. Think of these disciplined actions as a necessary stress-test meant to identify and address weaknesses and changing needs. A good contract with clear deliverables and expectations is part of a cybersecurity defensive strategy alongside your people and your defense technologies and ongoing monitoring of systems and services.

3. Validation: Adopt skills frameworks and codes of practice for software supply chain security

No organization must stand up against the heightened threat of software supply chain security alone. Take advantage of existing guidance such as the U.K.’s Software Security Code of Practice to follow when you’re trying to batten the software hatches at your own organization.

Not only does this code support software vendors as they adopt secure software lifecycle development practices; it also supports software customers in mitigating the likelihood and impact of software supply chain attacks.

In addition to following code and other guidance frameworks, organizations can look to skills frameworks and vendor-neutral certifications to validate that their cybersecurity professionals demonstrate certain skills needed to build and strengthen supply chain security and resilience.

Skills development in the disciplines of governance, risk and compliance (GRC), secure software development and AI skills better enable cybersecurity and risk professionals to make informed decisions regarding software supply chain security and risk management.

From complexity to better security

Supply chains are complex, longer than you think and multidimensional. Organizations must place much greater focus on stress-testing the resilience of software suppliers and continuously evaluating exposure.

This approach goes well beyond being careful about what software makes it all the way to procurement. The potentially more damaging layer to address in the macro supply chain involves the embedded software and integrated AI tools that other suppliers are using.

The question is not whether your digital supply chain will face disruption. It's whether you have the visibility, vigilance and validation to operate when it does. That’s resilience: the north star of software supply chain security. Without question, transparency has to run through supply chains instead of just sitting inside organizations.

We've rounded up the best endpoint protection software suites.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Read Entire Article