The three concepts, transparency of software supply chain, assessable capabilities of software supply chain security, and trusted software supply chain, are closely related to the ability of end users to conduct security checks and assessments for the software supply chain, including:
1. Basic assessment of software composition security
Upstream and downstream companies can provide end users with information query capabilities for the sub-translucent software supply chain compositions. End users can obtain information about affected components through third-party threat intelligence monitoring or security advisory issued by competent authorities. By querying and comparing the name and version information in the list of software compositions, it is possible to quickly determine the existence of known vulnerabilities and other security problems. The list of software compositions shall be machine-readable considering the convenience of maintenance and future automated check.
2. Complete assessment of software composition security
The list of software compositions with high transparency (translucent and above) can significantly improve the accuracy of software supply chain security assessment by end users. Legal risk assessments, such as intellectual property assessments, are essential for companies’ businesses. For companies operating international services, there are potential legal risks in open-source items and third-party components used for projects (whether they comply with the license requirements) and software modification and reuse (whether it is legal). Establishing an intelligence database under the unified management of the government facilitates the implementation of the security early warning platform for the software supply chain.
3. Assessment of software development process security
The complete supply chain covers all links from development and design, delivery and implementation, to user use, involving end users and suppliers at all levels. Each link may become a vulnerable point for network attack. Thus, companies shall fully assess the security of software when introducing them to reduce risks;
Dependency security assessment: Risk assessments shall be carried out for the third-party components, on which the software relies, through SCA tools in combination with the SBOM provided by suppliers to prevent the introduction of known vulnerabilities and open-source authorization risks;
Software vulnerability assessment: According to the product security assessment reports provided by suppliers, including but not limited to the scanning reports of SAST, SCA, DAST, IAST, and other tools, it shall be confirmed that no unfixed medium- and high-risk vulnerabilities exist when the product is delivered.
4. Assessment of supply chain security for open-source software that the software depends on
Companies control open-source security, including vulnerabilities from components, on which the software directly and indirectly depends. As the architecture of software systems becomes more and more complex, the dependency between the associated open-source components becomes more and more complicated. Some vulnerabilities from components of multiple dependencies and the vulnerabilities occurring during runtime are easily ignored.
The open-source software ecology is now diversified and intricate. Therefore, the management shall monitor and control the risks of the open-source software. Security involves a long-term continuous and dynamic process. Companies shall establish their own open-source asset registers in combination with the SCA for the security management of open-source software assets. When vulnerabilities are exposed or patches are released, they shall use assessment and inspection tools to investigate the vulnerability impact of assets while also reinforcing and fixing the affected assets in a timely manner.
5. Security supervision and governance of trusted software supply chain
The object under check first needs to obtain security check services and tools from the trusted and secure manufacturers specified by the check organization to ensure the security compliance of tools and sources. Then it shall audit its own software assets and output a standardized list of software compositions, code audits, supplier qualifications, etc. After that, it shall provide the list to the security management authority for filing and review. When reviewing, the security authority uses standard equipment to audit the software assets, supplier qualifications, development environment, emergency plans, and others, compare the list contents, and put forward guidance on improvements. This ensures the security and credibility of the whole process.
6. Ecology of trusted software supply chain
Due to the development of network attack technologies, we need to collaborate with others for innovation, actively introduce trusted computing, secure multi-party computation, blockchain, and other technologies, and reform the security product architecture to continuously improve the security of products. With the goal of security assurance during the product life cycle, considering various links, including component suppliers, product R&D, test, production, storage, transportation, sales, O&M, and recall, we shall build a security assurance technology system for the trusted software and hardware supply chains utilizing trusted computing, secure multi-party computation, blockchain, and other technologies.
Previous posts on software supply chain security:
- Software Supply Chain Security: Overview
- Threats against Software Supply Chain Security
- The Increasing Trend of Software Supply Chain Attacks
- The Increasingly Complex and Varied Vectors to Attack Software Supply Chain
- Security Concept for Software Supply Chain (Part 1) — Transparency of Software Supply Chain Compositions
- Security Concept for Software Supply Chain (Part 2) — Assessable Capabilities of Software Supply Chain Compositions
- Security Concept for Software Supply Chain (Part 3) – Building Trusted Software Supply Chain