A crop of multi-level upstream and downstream security problems makes software supply chain (SSC) security more complex. It is difficult to assess and control the security of the whole chain only depending on companies, but it is necessary to strengthen the security supervision of the supply chain products, provide companies SBOM hosting and trusted certification services, and build a trusted SSC ecosystem with companies. Specifically, it includes the following three aspects:
1. Provide the software industry with an open and trusted SSC core data (such as software component and component intelligence information) management mechanism
The end user’s SSC security depends on the information of both upstream/downstream companies and software components used by the end users. The higher the transparency of software component information, the smoother the SSC governance. But for software companies, it increases product management costs and security risks. Therefore, it is necessary to develop a set of trusted mechanisms, which can not only encourage software companies to participate in SSC governance, but also ensure the high quality of the basic SSC information to be provided as the core data in the assessment of trusted SSCs.
2. Improve supply chain risk monitoring and management guidelines for the software industry
Companies need to monitor whether there are risks in the software they use, the upstream components they rely on, and whether there are problems with the software platform (such as cloud computing platform) or network infrastructure used in the downstream delivery process. They also need to pay close attention to the open-source software, inventory open-source assets, continuously monitor the open-source software used, and timely reduce security risks. In fact, it is hard for companies to monitor the risks of upstream and downstream supply chains. This requires monitoring high-risk components, software platforms, network infrastructure, and high-risk open sources from the regulatory level. For example, regulators provide blacklists, whitelists, and gray lists to software companies and end users to guide them in SSC risk monitoring and management.
3. Provide trusted SSC security metrics and certification systems for communities
Trusted software suppliers should be evaluated from different dimensions such as trusted demand analysis and design, trusted development, trusted testing, trusted delivery, lifecycle management, open source and third-party management, and configuration management. Qualified companies shall have good SSC security assessment and monitoring capabilities, verification capabilities and risk management capabilities.
Companies also need to improve the supply chain asset management and security inspection. They can use knowledge graph technology to clarify the dependence of the supply chain so that they can calmly respond to potential risks as early as possible.
Previous posts on software supply chain security:
- Software Supply Chain Security: Overview
- Threats against Software Supply Chain Security
- The Increasing Trend of Software Supply Chain Attacks
- The Increasingly Complex and Varied Vectors to Attack Software Supply Chain
- Security Concept for Software Supply Chain (Part 1) — Transparency of Software Supply Chain Compositions
- Security Concept for Software Supply Chain (Part 2) — Assessable Capabilities of Software Supply Chain Compositions