A Playbook for Assuring Software Products in Critical Systems

Global technology supply chains are increasingly complex — especially for critical infrastructure sectors — but they can be compromised by something as simple as a software component maintained by a guy in a basement who’s also an employee of an adversarial government.


Assuring the quality of software products in critical systems is necessary for national security, public health and safety, energy transmission, and more. The task requires monitoring and detection resources that could include thousands of hours of manual research. But an innovative playbook — developed by Exiger in partnership with Schneider Electric and the Department of Defense — has set some best practices that organizations can adopt to save time and money.


The Supply Chain Product Assurance Playbook, a solution for rapidly mapping and mitigating product risks at scale, is featured in the Assuring Software Products in Critical Systems webinar.

What Is Software Product Assurance?

Software product assurance refers to the comprehensive processes and practices aimed at making sure that software products are reliable, secure, and function as intended. This facet of software development is especially critical in the context of supply chains supporting critical infrastructure, such as power grids, healthcare systems, and government operations. The core objective of software product assurance is to mitigate risks associated with software failures, security vulnerabilities, and operational inefficiencies that can lead to significant disruptions in essential services.


As critical infrastructures increasingly rely on software-driven processes, the potential impact of software issues multiplies. For instance, a software flaw in an electricity grid’s control system can not only cause widespread outages but also expose the system to cyber-attacks that could cripple vast areas. Thus, implementing rigorous software product assurance practices helps ensure that software components in critical systems are thoroughly vetted, secure, and resilient against a wide array of threats.


The interconnected nature of systems means software risks can have cascading effects. Software product assurance serves as a crucial layer of defense, safeguarding against these ripple effects by enforcing stringent standards and regular audits throughout the development and deployment lifecycle. By prioritizing software product assurance, organizations not only protect their own operational integrity but also fortify the broader infrastructure ecosystem against potential disruptions and security threats.


5 Steps for Driving Software Product Assurance

These strategic priorities can shape an approach to software product assurance that’s transferrable to nearly all organizations with complex supply chains.


1 - Commit to transparency and trusted partnerships

It’s essential to communicate openly, share information, and work collaboratively with suppliers and customers in order assure software products.


“The more that you have that dialogue to say, ‘This is the current state, here’s our plan, here’s our roadmap, here’s our thoughts on this — what is yours?’ That’s part of the voice of the customer and a big part of the transparency that’s necessary,” says Cassie Crossley, VP of Supply Chain Security at Schneider Electric and author of Software Supply Chain Security. “It’s a big leap because we’re trusting on both sides. That’s what I feel will drive the industry to move forward.”


This effort includes “grown-up conversations” with partners and suppliers about the cost of software maintenance, says JC Herz, SVP of Cyber Supply Chain Solutions at Exiger. “Who assumes the burden of that cost — the supplier or is it also the customer? Are we willing to give preferential selection to the suppliers that are making that investment?”


This sort of transparency helps establish trust and allows for a more collaborative approach to assuring software products in the supply chain.


2 – ‘Move left’ and focus on leading risk indicators

This step helps shift reactive to proactive in assuring software product supply chains. Identifying and addressing issues early on can prevent future problems and reduce risk. The concept of “moving left” in software development means addressing security and risk considerations from the beginning rather than as an afterthought.


Herz stresses that watching for leading risk indicators — like end-of-life, technical debt, open-source software maintained by a single individual, and more — is the way to get ahead of known vulnerabilities, or CVEs. This sort of analysis is best performed by AI and automation with a solution like Ion Channel.


Otherwise, you may play whack-a-mole, she says, trying to remediate all the vulnerabilities that pop up. “The ability to actually act on leading indicators gets you out of the reactive hell of whacking CVEs.”


“The ability to actually act on leading indicators gets you out of the reactive hell of whacking CVEs.”

JC Herz, SVP of Cyber Supply Chain Solutions at Exiger

3 – Manage and mitigate software supply chain risks

Risk management is key to assuring software products. It’s not about excluding certain components or suppliers, but rather about managing and mitigating risks. This can involve assessing and prioritizing critical products and implementing appropriate security measures.


The decisions involved in risk mitigation are complex, varying by product and involving more than what’s revealed in a software bill of materials (SBOM). The process could include:


  • Taking security patches from later versions of a product
  • Making changes to open-source components
  • Tolerating a new threshold of risk
  • Refusing automatic updates rather than ripping out components from a single-committer source.


“It’s not just about the software vulnerabilities,” Crossley says. Look beyond the state of the product to other risk factors like ownership changes and governance issues related to suppliers.


“For instance, if there’s a DLL (dynamic link library) that comes from an adversarial state-owned company, that is an escalated risk,” Herz says. “It’s not necessarily an acceptable one, but it’s something that factors into that whole risk equation in a way that goes beyond just cybersecurity.”


4 – Monitor supply chain risks continuously

Software gets old and new vulnerabilities can emerge over time, so ongoing monitoring and updates are necessary to maintain security and resilience. Herz calls continuous monitoring one of the “most essential” elements of the playbook for software product assurance.


“I like to say that software ages like milk, not like fine wine,” she adds.  “The risk that you have a year or four years later with that same component — the world has discovered a bunch of new ways to exploit that component.”


The level of monitoring needed is too labor-intensive to do without automation. Having an advanced cyber supply chain risk management solution that leverages AI and machine learning can help teams be efficient and effective in flagging new risk issues that require action.


5 – Invest in supply chain resources and support

Assuring software products in the supply chain requires resources and support. This can include having dedicated product security teams, scaling initiatives, and allocating resources for supply chain transparency, risk assessment, and mitigation efforts.


“You’ve got to have a team that is committed to making these kinds of adjustments over time,” Crossley says. Her product security team is scaling up the playbook initiative to integrate the transparency build and attestation process for both software and hardware.


Implementing advanced technology like the 1Exiger platform helps makes the product assurance playbook effective. The platform leverages AI and proprietary technology to deliver comprehensive analysis of supply chain risks, including cybersecurity risks, to reveal insights that enable confident decision-making. It’s the only open-source, third-party and supply chain risk management software that helps companies and government agencies achieve cost savings, resilience, and compliance in real time.


By fostering transparency, being proactive, managing risks effectively, committing to continuous monitoring, and allocating necessary resources, supply chain leaders can ensure that software products are not only secure but also robust enough to support the critical systems that depend on them. This approach protects against the threats of today and builds resilience for tomorrow.


Contact us for a demo of Exiger’s supply chain AI today.


Demo The
Exiger Platform

Save the Day
Be a supply chain superhero