Building trust in the software supply chain
Just because the component you add to your app is secure today doesn’t mean the app will still be secure tomorrow.
This is largely due to the complexity of the software supply chain: the mix of proprietary and open source code, APIs and user interfaces, application behavior and deployment workflows that go into building software. software applications.
For companies developing software, security issues at any point in this chain, at any time, could put your organization and your customers at risk. How can you ensure that your software supply chain is secure and prove it?
Codebase, supply chain security risk
A breach anywhere in the supply chain ripples from the point of origin of the vulnerability or breach, sometimes all the way to the end user, and can have devastating effects. Due to its complexity and connectivity, the software supply chain presents an ever-expanding attack surface. For example, threat actors could leverage compromised software and frequent network communications to gain privileged access to networks and organizations. This allows these bad actors to bypass perimeter security and appear as legitimate users or accounts, and once inside – and with permissions – they could wreak havoc.
Do you know the composition of the software in your applications, including open source code and proprietary code? Do you know what components and versions they use? Open source software is everywhere; it is an essential component of any modern application development. Our analysis of commercial codebases in the Synopsys “Open Source Security and Risk Analysis” report shows that almost all (98%) codebases contain open source software. And that number is 100% in the clean energy and technology, cybersecurity, Internet of Things, hardware and semiconductor sectors. The report also shows that 81% of codebases contain at least one known open source vulnerability.
Due to the prevalence of open source software, the supply chain is more complicated and obscure, involving more links and dependencies than ever before. The only way to mitigate risk is to maintain visibility into the open source software being used and address areas of risk as they are identified.
Also, your proprietary code is written by developers, who typically don’t have much security experience or training. As with open source software, the risks of proprietary code are complex and can be difficult to identify, even by seasoned security experts. However, these vulnerabilities in your own code could serve as entry points to sensitive data and systems. That’s why it’s so important to secure proprietary software alongside third-party code in an application.
Software Supply Chain Attacks
Hackers are increasingly targeting the supply chain because there is a high return on investment. And because hackers get what they want, these attacks are becoming more and more common. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced software supply chain attacks. And because of dependencies and connectivity, flaws and vulnerabilities in applications create risk for organizations at multiple degrees from the initial attack vector.
Building trust with software
The way to secure the software supply chain and build trust with your customers and suppliers is to take a proactive approach to securing the software supply chain with a software bill of materials (SBOM). An SBOM, often generated by a software composition analysis tool, is a comprehensive inventory of the components used to build software. It lists all open source and proprietary code, associated licenses, versions used, and patch status. A more comprehensive SBOM also includes download locations for components and dependencies, and any subdependencies the dependencies link to. The specific items and amount of detail included in an SBOM depends on the organization and its customers and partners, any relevant regulatory bodies, and the information they need. This data is intended to be shared between companies and communities, to allow other organizations to create their own complete software nomenclature.
Supply chain hardening
Security is only as strong as its weakest link. The software supply chains that create today’s modern applications are complex and complicated, and any security issues along the chain could put your organization or your customers at risk of attack. To earn the trust of your consumers and comply with industry standards and regulations, you must harden your supply chain against security threats and prove that you have done so. Learn what a software supply chain looks like, the risks involved, and how to build a holistic approach to supply chain security so your organization isn’t the weakest link.
Mike McGuire is senior director of product marketing at Synopsys, an American electronics design automation company that focuses on silicon design and verification, silicon intellectual property, and software security and quality.