The Path to Resilience Amid Open-Source Software Supply Chain Risks

Like it or not, we live in a world where most software products contain open-source components. While open source has led to countless innovations that benefit us all, businesses today face serious supply chain risks because these components pervade their software ecosystem.

A recent study showed that up to 96% of codebases in software across all sectors contain open-source software (OSS). It’s part of the foundation of software used across critical infrastructure, supporting each of the 16 sectors in that category. And OSS is woven into commercial software applications run by business of all sizes.

The challenge for procurement officers, risk and supply chain managers and others is keeping tabs on all the open-source and third-party components that exist within the software that’s key to business success. This lack of visibility forces enterprises into a reactive Whack-a-Mole posture that can wear down the gatekeepers and demoralize staff.

This guide from Exiger, Build Resilience to Inevitable Open-Source Supply Chain Risks, offers some basic steps you can take to improve supply chain risk management in your software ecosystem.

The first step is relatively simple: Know what you have. That’s where the Software Bill of Materials (SBOM) is essential.

SBOM: A Key to Software Inventory Transparency

Given the volume and velocity of software dependency attacks, it is table stakes to require a Software Bill of Materials (SBOM) from vendors, contract software developers and internal developer teams. This data should be structured, machine-readable and must contain all direct and transitive dependencies (components of components) in a software product or build.

“On a business level, what the SBOM tells the customer is that there are products which are end-of-life unmaintainable, where investment hasn’t happened in maintenance, in updates, in security,” said JC Herz, SVP of Cyber Supply Chain Risk Management at Exiger.

In forward-leaning industries like financial services, medical devices and defense, producing SBOMs is already standard operating procedure. Large banks, for example, maintain prohibited components lists to firewall vulnerable products from procurement. The Department of Commerce’s Software Component Transparency Initiative, composed of stakeholders in healthcare, finance, government and technology, has released a concrete set of definitions with working models of what it means for customers to demand and for suppliers to provide SBOMs for initial procurement and ongoing vulnerability management.

The consensus among regulated enterprises is that refusal to provide a third-party ingredients list is an unacceptable position for a software supplier to take. Modern engineering methods (software version control, continuous integration) automate the export of these software manifests from development pipelines.

Pay Attention to Cyber Hygiene

In an expert panel discussion about cyber supply chain risk management (C-SCRM), Christine Halvorsen, Managing Director of Protiviti, described SBOMs as a matter of routine health.

“It is just good cyber hygiene, at the end of the day,” said Halvorsen. “I know the regulations are there, but people have to stop thinking of, ‘I need to meet this regulation,’ or ‘I need to meet this new directive that’s out because I want to do business with the government’ — instead of thinking it’s really about good cyber hygiene.”

The U.S. government has been a leader in forging guidelines and policies, including the requirement that government suppliers and contractors produce SBOMs that details all components of the software. Agencies like the National Institute for Technology and Standards (NIST) offer further information and bolster the National Cybersecurity Strategy. The NIST resources can help guide C-SCRM practices for all businesses.

SBOMs and other C-SCRM best practices are an investment that can end up saving the health of your company and its reputation. Widespread third-party and supply chain incidents — including the SolarWinds attack and the Log4j vulnerability — also underscore the need for investing in the cybersecurity of your supply chains.

Next Steps for Building Software Supply Chain Resilience

SBOMs are table stakes for effective software risk management. But simply having an inventory list doesn’t close the loop: Software inventory lists and SBOMs must be accurately resolved and continuously mapped to live-state data as risks emerge. Third-party SBOMs and manifests should be monitored by customers, in parallel to a supplier’s security process, to ensure that the customer’s situational awareness is as timely as the supplier’s and that governance and remediation are triggered on the customer’s initiative.

To learn about 10 other steps that can help solve your C-SCRM needs, download our guide: Build Resilience to Inevitable Open-Source Supply Chain Risks.

Given how central software is to everyday infrastructure and commerce — in addition to supply chain functions in your enterprise — you can’t afford to ignore the ingredients in the software ecosystem that your business relies on today. Exiger’s Cyber Supply Chain Risk Management  (C-SCRM) platform provides unprecedented transparency and resilience to counter supply chain attacks.

The Exiger platform transforms your software inventory data, enhancing it with open-source and proprietary intelligence data to effectively uncover and manage risks in your software supply chain. Specifically, the platform continuously ingests software supply chain data, changes to open-source components, maintenance and compliance history for software dependencies, leading indicators of risk in advance of known vulnerabilities and supplier risks that software scanners don’t detect, such as end-of-life components and change-of-control in underlying dependencies. As software is delivered by vendors, contractors or in-house developers, our technology ingests or builds SBOMs, analyzes all transitive dependencies, maps supplier risk metrics, and automates pass/fail security rules.

Exiger’s technology provides unprecedented transparency and resilience to counter supply chain attacks. Schedule a demo today.

More resources:

• Report: Build Resilience to Inevitable Open-Source Software Risks
• Harnessing the Power of SBOM for Supply Chain Visibility
• Expert Tips on C-SCRM and Building a Trusted Software Supply Chain
• Webinar: Building a Trusted Software Supply Chain: C-SCRM/SBOM in Government Procurement

---