We’ve all heard that a physical chain is only as strong as its weakest link. A similar truth applies in software development: A software supply chain is only as secure as its weakest link.
While it’s easy enough to inspect a physical chain for weaknesses, gaining visibility into the full length of a software supply chain is more complicated—and rather than being a one-time inspection, it requires always-on defensive processes to protect sensitive data. Here, members of Forbes Technology Council share practical recommendations to help organizations thoroughly monitor and protect their software supply chains.
1. Establish A Dedicated Governance Framework
To secure your software supply chain, establish a dedicated governance framework. Define specific security policies and control objectives for each supply chain stage. Implement strict technical and administrative controls to ensure component integrity and authenticity. Continuously monitor and update these controls to address new threats, providing a resilient and secure supply chain. – Anand Santhanam, Amazon Web Services
2. Adopt Zero Trust
Enhance software supply chain security by adopting zero-trust architecture and strict public key infrastructure management. The SolarWinds attack exploited weak PKI management, allowing malicious code in updates to be signed with legitimate certificates. Implement strict access controls, continuous verification, secure development practices, regular certificate rotation and supply chain transparency. – Julian Durand, Intertrust
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Deploy A Holistic Approach
Deploy a holistic approach that embraces digital trust. This involves managing all aspects of the software supply chain, from third-party dependencies to software efforts and vulnerabilities. Organizations should ask vendors for cybersecurity maturity assessments and certifications to meet security standards and ensure readiness for incident response and recovery. – Chris Dimitriadis, ISACA
4. Ask Fundamental Questions And List The Answers
Start with a list—yep, a list. Most companies don’t know what’s running in their environments. Rationalization, artificial intelligence analysis and so on all fall down if you don’t know the fundamentals. Start with a few questions. Who is in your supply chain? What do you know about them? How critical is this software to your operation? Where is it used? With a list in hand, you can begin enhancing security. – Craig Burland, Inversion6
5. Understand Which Vectors Are Threatening Your Supply Chain
While it’s difficult to predict what the next big supply chain disruption will be, it’s important for business leaders to understand, in real time, which vectors are threatening their software supply chain. Leaders who harness evolving technologies like advanced AI to detect these threats first will have greater insights and the resiliency needed to withstand major disruptions and crises. – Brian Gumbel, Dataminr
6. Pair Automated Compliance Monitoring With Least-Privileged Access
Security policies are established for a reason: to keep organizations, partners and customers secure. Compliance can be continuously monitored through automation to ensure there are no deviations. Pairing this with a least-privileged approach—granting only the minimum access required—makes it hard for attackers to move throughout the supply chain if they do get through. – Erez Tadmor, Tufin
7. Continuously Monitor Third-Party Vendors
One crucial piece of advice for an organization looking to enhance the security of its software supply chain is to vet and continuously monitor all third-party vendors and suppliers for compliance with security standards. This includes engaging in regular security audits to verify adherence to regulations such as NIST and ISO/IEC 27001 and ensuring clear contractual agreements regarding breach notifications. – Sharat Ganesh, Qualys Inc.
8. Use Code Signing
Every piece of software is a machine, and it must have an identity. We would never not give developers an identity, but we treat code as though it were a bunch of pencils to inventory. Code, from developers to containers run in production, must have identity; we use code signing for this, and it stops unauthorized code. Giving every piece of software an identity is the path to securing the software supply chain. – Kevin Bocek, Venafi
9. Insist On A Comprehensive SBOM
To enhance software supply chain security, insist on a comprehensive software bill of materials for all dependencies. This helps you identify and manage vulnerabilities more effectively. Regularly auditing and updating dependencies, along with setting up stringent code review processes, further fortifies your defenses. – Stephen O’Doherty, Gibraltar Solutions
10. Assign Risk Scores To Vendors
Put a vendor risk assessment program in place, or update your existing one to take generative AI features into consideration. Assign risk scores for each vendor in your ecosystem, and make it a requirement that vendors pass a minimum bar before being deployed. If an existing vendor receives a sub-par score, work with them and your IT security team to mitigate the risk. – Brian Jackson, Info-Tech Research Group
11. Implement A CBOM
To enhance software supply chain security, implement a cryptography bill of materials. This crucial step maps your cryptographic landscape, guiding the transition to quantum-resistant practices as outlined in NIST’s Post-Quantum Cryptography standards. It’s the key to future-proofing your digital ecosystem against emerging quantum threats. – Tracy Levine, QuSmart.AI
12. Address The Security Of Non-Human Entities
Addressing the security of non-human identities, such as service accounts, application identities and so on, is essential when it comes to enhancing the security of an organization’s software supply chain. Did you know that for every human identity created within an organization, 45 non-human identities are created? It is crucial that all NHIs are managed and monitored for any abnormal behavior. – Itzik Alvas, Entro Security
13. Set Up A Well-Rounded DevSecOps Process
Security requires a solid DevSecOps process built on people, processes and tools. With today’s code copilots, open-source code is being injected into your code base faster than ever before. Organizations must adopt and enforce security testing, open-source software compliance and software bills of materials in the software development life cycle and train employees to understand their importance. – Sanjay Gidwani, Copado
14. Ensure Proactive, Robust Data Security Risk Management
Software supply chain security depends primarily on protecting the integrity and confidentiality of data across the supply chain. Proactive, robust data security risk management, including third parties, is the most important thing any organization can do, along with securing data in the cloud. According to a report by IBM and the Ponemon Institute, data breaches in the public cloud are the most costly, at $5.17 million. – Gaurav Kapoor, MetricStream
15. Integrate SCA Tools Into CI/CD Pipelines
Enhance security in the software supply chain by continuously analyzing software composition to gain visibility into open-source and third-party library usage, as well as potential vulnerabilities. Integrate software composition analysis tools into CI/CD pipelines for automated checks to ensure risk-managed and compliant components and protect against new threats. – Tushar Vartak, RAKBank
16. Integrate SAST Procedures To Identify Code Vulnerabilities
Adopt DevSecOps practices to enhance software supply chain security. Integrate static application security testing to identify code vulnerabilities early, maintain a software bill of materials to track components, and implement robust vulnerability management for dependencies. Ensure rapid deployment of updates with unit testing and CI/CD pipelines for automated security checks. – Mia Millette, Skyline Technology Solutions
17. Maintain Control Of Access To Data
To mitigate supply chain risks, organizations must automatically detect when third parties have access to sensitive account and customer data. This means implementing least-privileged access, a robust security posture and continuous threat monitoring to minimize the chances of a breach. This also helps organizations promptly evaluate a breach’s impact and initiate remedial actions to limit the damage. – Asaf Kochan, Sentra
18. Add A Secure Code-Signing Process Into DevOps Workflows
To find and fix errors, bugs and vulnerabilities while testing code during the development process, you also need to constantly prove the authenticity, integrity and validity of the code and software packages. To do so, implement a secure code-signing process within DevOps workflows that can digitally sign and timestamp the code to ensure it can be trusted and is secure. – Gregory Webb, AppViewX
19. Don’t Forget About Contract Agreements
When it comes to the security of your software supply chain, don’t forget about your contract agreements. While technical controls are extremely important, another important way to enhance your security is to be sure that no gaps or unnecessary exposure exist in your contractual agreements with your vendors. – Robert Reynolds, Orange County Government, North Carolina
20. Ensure Early Access To Recaptured Identity Intelligence
Supplier questionnaires are not enough to uncover exposures in the supply chain. Security teams need timely evidence when any component of a contractor’s, vendor’s or partner’s identity is compromised. Investigation tools and early access to recaptured identity intelligence can negate the value of stolen information by quickly identifying at-risk users and automating remediation to protect them. – Damon Fleury, SpyCloud