Software supply chain security is one of the key considerations in modern supply chain security. NSFOCUS Security Labs has conducted long-term research on security of the software supply chain. We’d like to publish a series of posts to share our observations, explore security issues existing in the software supply chain, conclude the core concepts, technical framework, and key technologies of software supply chain security, and propose solutions and best practices in supply chain security regulations and control, in the hope of inspiring thoughts in readers on the software industry and further health ecology of the cybersecurity industry.
The following two points in the software supply chain security should be prioritized:
1. Priorities shall be set up targetedly in analyzing internal causes and functioning mechanisms of risks in the supply chain. Recent years have seen a series of security issues in the supply chains. With the broader application of SDX (Software-Defined Everything), low-code techniques and so on in the era of digitalization, open-source and modularized software is a destined trend. Meanwhile, the production mechanisms and features of software render attack surfaces and risk points scattered and random. For such reasons, the internal motivations and functioning mechanisms of the supply chain risks and the implications of business digitalization should claim the attention of the cyber-security field.
2. Countermeasures against risks in the software supply chain shall be proposed from a broader perspective of supply chain security. The analysis of software supply chain security issues from the perspective of the industry involved is challenging, as original security business and business security practices shall be reshaped given the growing reliance of the industry development subjects on digitalization. Therefore, by taking digitalization business as the starting point, broader supply chain security as the focus of the observation, the software supply chain security as the basis of the observation, industries shall have more precise positioning in securing the development of the cybersecurity industry.
Here are the main takeaways from the post series:
1. Threats exist throughout the life cycle of the software supply chain, and the cyberattack methods and implementation channels are more diverse than others, making the supply chain more vulnerable. Recent years witnessed a spike in cyberattacks against software supply chain security and such attacks grow more critical in the security breach, especially in the invasions of open-source software ecology through open-source community and public open-source storage warehouses. The supply chain security of open-source software becomes more imperative.
2. To handle the threats against the software supply chain, upstream companies need to list software components contained in their products to inventory software supply chain information, providing coherent and transparent basic conditions to downstream companies and users for the management of the software supply chain. Items in a software component list shall be divided into opaque, sub-translucent, translucent and transparent groups by granularity. A software component list that is highly transparent makes possible a significant leap in the accuracy of end users in assessing the supply chain security.
3. The entire lifecycle of software development should be covered in the software supply chain security, as vulnerabilities are created not only in the coding phase of the development stage but also in open source components, production and build tools that are highly relied on. Organizations should build security assessment capacity for the development stage according to the development and construction of software. At the delivery stage, such organizations should, as suppliers, deliver the software component list to the downstream companies while guaranteeing the safety of the software delivered, enabling the entire software supply chain to analyze and assess the supply chain security with third-party information such as security notification and threat intelligence. After the delivery of software products, the suppliers shall provide warranty service during the life cycles of such products and eliminate product vulnerabilities in a timely manner. End users shall also include the listed software components in their assets to be accessed and, according to vulnerability advisories, reinforced and repaired regularly.
4. The risks of software supply chain exist in the entire lifecycle of the products. Given the presence of software supply chain risks throughout the entire life cycle of products and cyberattacks and invasions of the supply chain in recent years, we need to strengthen the certification management of supply chain products in the regulatory aspect and provide SBOM hosting and trust services for organizations. Organizations should also improve secured management of the assets that pertain to the supply chain. Leveraging the SBOM knowledge graph, for example, they can make clear the dependence relationships in the supply chain and get prepared before receiving any alerts.
5. With the continuously evolving technologies and industrial development, the software supply chain has gradually become a vast ecology comprising complicated technological systems, diverse product components as well as developers, suppliers and consumers. The massive emergence of new technologies lifts the scope of software protection from the individual level to the supply chain level, which means a significant change in the security perspective. The entire software supply chain lacks effective supervision, and the hope to achieve security solely relying on the morality of technicians is nothing different from a “gamble”. It is urgent to establish supply chain security management mechanisms and eliminate unregulated practices, forming a reliable software supply chain system for the benefit of society.
The next post: