• Latest
  • Trending
  • All
Your Software Supply Chain Is A Security Nightmare

Your Software Supply Chain Is A Security Nightmare

December 15, 2019
Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

April 23, 2024
Top 5 Spend Analysis Software ranked in 2024

Top 5 Spend Analysis Software ranked in 2024

March 1, 2024
How Tesla And BMW Are Leading A Supply Chain Renaissance With Blockchain

How Tesla And BMW Are Leading A Supply Chain Renaissance With Blockchain

January 19, 2024
LATAM Cargo strengthens European cargo links

LATAM Cargo strengthens European cargo links

April 14, 2020
Ford making reusable hospital gowns from airbag materials as efforts against coronavirus expand

Ford making reusable hospital gowns from airbag materials as efforts against coronavirus expand

April 14, 2020
Don’t Sweat NBC’s Decision to Cut Back on Television Ad Inventory

Don’t Sweat NBC’s Decision to Cut Back on Television Ad Inventory

April 14, 2020
Software firms sharpen focus on AI, big data as IT spending drops

Software firms sharpen focus on AI, big data as IT spending drops

April 14, 2020
Navigating turbulent times in your supply chain (TL:DR version)

Navigating turbulent times in your supply chain (TL:DR version)

April 14, 2020
Last Mile Delivery by Drones Market is Booming Worldwide

Last Mile Delivery by Drones Market is Booming Worldwide

April 14, 2020
AIR CARGO MARKET SIZE, SHARE, DEMAND, TREND, LATEST INNOVATIONS & APPLICATION ANALYSIS AND INDUSTRY GROWTH FORECAST 2027 – Science In Me

AIR CARGO MARKET SIZE, SHARE, DEMAND, TREND, LATEST INNOVATIONS & APPLICATION ANALYSIS AND INDUSTRY GROWTH FORECAST 2027 – Science In Me

April 14, 2020
Wheat procurement in Patiala: 6,500 coupons issued to farmers – cities

Wheat procurement in Patiala: 6,500 coupons issued to farmers – cities

April 14, 2020
Pandemic, Plastics And The Continuing Quest For Sustainability

Pandemic, Plastics And The Continuing Quest For Sustainability

April 14, 2020
  • Supply Chain
  • Logistics
  • Warehousing
  • Procurement
  • Shipping
  • More
    • Strategic Sourcing
    • Spend Analysis
    • Inventory
    • Contact Us
No Result
View All Result
United States International Supply Chain Commission
United States International Supply Chain Commission
Home Supply Chain

Your Software Supply Chain Is A Security Nightmare

by usiscc
December 15, 2019
in Supply Chain
0
Your Software Supply Chain Is A Security Nightmare
492
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

In 1998, I testified before the Senate about the lack of understanding software vendors like Microsoft had about the vulnerabilities in their code — and how those mistakes could be leveraged by attackers. More than two decades later, although a lot has changed, we are still essentially facing the same problems.

At Veracode, we recently discovered in our new “State of Software Security” report that 83% of applications have at least one flaw, and there’s a long and growing tail of flaws that are identified but not remediated.

Today, software is in everything, and third-party software is part of every development environment. The people architecting the next generation of cloud applications are building them with large numbers of microservices, open source components and APIs.

While many enterprises have developed robust testing processes for internal software applications, those programs typically don’t include security scanning on third-party and open source software. This testing is often presumed to be secure or is overlooked in application security testing, which leaves a wide-open gap in an organization’s security strategy.

This is part of the reason why the software supply chain can represent tons of risk and leave organizations exposed. Every single business has this problem, and it’s getting worse over time because everything keeps getting more fragmented, more distributed and faster.

How Much Risk Are We Talking About? 

Major breaches can occur from vulnerabilities in the smallest of programs. Third-party software used in nonmission-critical applications may not be properly checked for vulnerabilities. So, just how much risk from backdoor breaches and advanced threats targeting the application layer are we talking about? For many companies with large networks of vendors, the risk is much bigger and more serious than they realize.

To share an example, one of our clients (a global industrial manufacturing company) conducted an ad hoc audit of its third-party software and found more than 90% of its purchased applications had critical security vulnerabilities. In response, the company used an application security solution to get the problem under control, and after working with 100 of its vendors over one year, it fixed more than 10,000 vulnerabilities.

Five Ways To Secure Your Software Supply Chain

Modern development life cycle is like spaghetti: it is complex, interwoven and never follows a straight line. We can’t ignore the security behind all of that code. Risk permeates our supply chains at multiple levels, and when software is dependent upon the security of other software products, open source components and APIs, organizations must hold one another accountable for security of the software supply chain.

There is no easy solution, but there are several things businesses can all do to improve the security of the software supply chain:

1. Specify security expectations in contracts upfront: Consider the suggestions in this list as potential security requirements in your third-party vendor contracts. This could mean that you require proof of a third-party security assessment or detailed internal security processes to be run on the code behind each API. Make it contractual, and do it upfront.

2. Demand continuous assessment with the right level of transparency: To keep up with rapidly changing and deeply layered software supply chains, security scanning needs to be ongoing. There is readily available technology to automate the detection and remediation of security flaws. You can request that your third-party vendors provide security specifications alongside their APIs and that they are continuously maintained. Remember that software development is continuous, and software security testing needs to take place during all phases.

3. Talk to developers directly: Third-party software compliance is often done through checklists sent to the vendor, and the person filling out the checklist is likely in the sales department. Speaking directly with the people who created software can ensure that your questions and requests are fielded by someone who fully understands them.

4. Outsource some testing: Many other industries require independent audits and assessments related to product safety. Why should software be any different? It’s easy to assume third-party software was checked by their developers. But this testing process tends to be static over time, while the threat landscape is constantly changing. By outsourcing at least some testing to a professional InfoSec business, enterprises can ensure all applications are fully tested for vulnerabilities that could be exploited.

5. Utilize existing standards: When analyzing third-party software, it’s critical to have a basis for your testing. Standards like the OWASP Top 10 are a common way to check against the most frequent application vulnerabilities. Using components with known vulnerabilities or failing to update software can introduce significant security risks, as cybercriminals are constantly seeking vulnerable applications. Businesses should also monitor sources like Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD), but even these will not capture all of the known vulnerabilities that could be affecting your software.

Safer Software, Safer World

The need for physical security is obvious: You don’t want people to sneak into your building and tamper with your controls. But digital security, while less visible, is just as critical. Bad actors can sneak in through a digital network path and access those controls just as easily as if they’d slipped through an unlocked side door.

Are you background checking your software supply chain? This is especially important for service providers that have digital access to your controls — it’s as if they have a keycard to your private facility.

It’s going to take everyone — commercial software providers, enterprises, independent third-party assessors and security researchers — working together to create secure software and a safer world.

Share197Tweet123
usiscc

usiscc

  • Trending
  • Comments
  • Latest
‘Significant opportunity’ in Asia as supply chain integrates, consolidates

‘Significant opportunity’ in Asia as supply chain integrates, consolidates

January 3, 2020
Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

April 23, 2024
3 keys to mitigating severe supply shortages from coronavirus disruption

3 keys to mitigating severe supply shortages from coronavirus disruption

March 18, 2020
Art Battle Wichita Falls III at The Warehouse, 1401 Lamar.

Art Battle Wichita Falls III at The Warehouse, 1401 Lamar.

0
Global Industry Analysis, Size, Share, Growth, Trends, and Forecasts 2016–2024 – ZMR News Reports

Global Industry Analysis, Size, Share, Growth, Trends, and Forecasts 2016–2024 – ZMR News Reports

0
PHOTOS: Ottawa firefighters respond to warehouse fire

PHOTOS: Ottawa firefighters respond to warehouse fire

0
Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

Last Mile Delivery Market Worth Observing Growth | UPS, FedEx, SF Express

April 23, 2024
Top 5 Spend Analysis Software ranked in 2024

Top 5 Spend Analysis Software ranked in 2024

March 1, 2024
How Tesla And BMW Are Leading A Supply Chain Renaissance With Blockchain

How Tesla And BMW Are Leading A Supply Chain Renaissance With Blockchain

January 19, 2024
  • Privacy Policy
  • Terms of Use
  • Disclaimer
  • DMCA
  • Contact Us

Copyright © 2024 United States International Supply Chain Commission (usiscc.org)

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT
No Result
View All Result
  • Supply Chain
  • Logistics
  • Warehousing
  • Procurement
  • Shipping
  • More
    • Strategic Sourcing
    • Spend Analysis
    • Inventory
    • Contact Us

Copyright © 2024 United States International Supply Chain Commission (usiscc.org)