There’s been a lot of attention on supply chain cybersecurity lately. In some business segments—especially manufacturing—hardware gets intense scrutiny. Current standards and best practices emphasize traceability or chain of custody to assure the integrity of the supply chain.
Often overlooked is our software supply chain. Large scale exploitation is possible by altering source code, compromising popular websites, or manipulating trusted apps. In contrast to hardware exploitation, software attacks carry less risk, require less expertise, and spread more quickly.
We need to start understanding and securing our software supply chain with the same rigor as the hardware supply chain.
Where do we start? Here are some key questions to answer:
• Are you using open-source? Has anyone bothered to look at the code and contributors or did you just download and run it? For a static website, you might consider it no big deal (unless you care about your reputation and whoever is accessing the website). However, what about your finance application or user database?
• What traceability steps are you taking for software in your enterprise?
• How do you account for software in your risk management program?
It’s about time we started paying better attention to the supply chain! What’s your preferred software supply chain technique or solution?
By Ed Brindley, CSO & Co-Director of Cybersecurity Solutions at PLEX