Supply chain compliance is a hot topic right now for government agencies and their contractors. It should, however, be on the mind of any business that uses software and technology suppliers.
In fact, U.S. President Joe Biden recently issued two executive orders addressing cybersecurity in the software supply chain, prompted by the dramatic increase in attacks against technology providers. The first addressed America’s supply chains, while the second discussed necessary improvements in cybersecurity.
For example, the Interstate Technology and Regulatory Council identified supply chain cyber attacks at 27 third-party vendors, which affected 137 U.S. organizations and seven million individuals, in the first quarter of 2021 alone. Nineteen such attacks happened in Q4 2020. The numbers simply can’t be ignored.
Failure to address cyber supply chain risk management can result in:
- Software supply chain attacks
- Regulatory penalties for compliance failures
- Disruption of business continuity
- Reputational damage
- Loss of revenue or the right to operate the business entirely
Before we get into the ways that you can prevent security vulnerabilities within your software components and suppliers, let’s clarify the meaning and importance of software supply chain security.
What Is Software Supply Chain Security?
When we talk about software supply chain security, we are talking about the process of identifying, analyzing, monitoring, and mitigating security risks, vulnerabilities, and compliance issues posed by third-party software vendors within an organization’s supply chain.
As it relates to software supply chain risks, a software supply chain incorporates any vendor in your ecosystem that affects your software code. This could be software development agencies and source code developers, application security providers, automation functionality, API connections, and deployment environments.
This is important because of the nature of today’s software development environment: it depends heavily on using open-source software code from somewhere else. Yes, that reliance on other sources drives IT development and economic growth, but each “dependency” also brings risk — and, according to the 2020 GitHub State of the Octoverse report, your average software repository had more than 200 dependencies.
Since open source code is code that you didn’t write, you must implement a thorough vetting process for every source. Let’s take a look at some best security practices for managing your software supply chain.
Best Practices for Software Supply Chain Security
Leveraging code from open source developers has many benefits, but it also means that potentially thousands of developers have access to your production environment. That greatly expands your attack surface.
Therefore, any unpatched software updates, malicious code, malware, or other vulnerabilities can jeopardize your organization’s information security stance. These opportunities provide cybercriminals an opportunity to create a backdoor that will allow them to circumvent your security measures over time and possibly remain unnoticed.
To avoid these missteps, we’ve compiled a number of best practices based on guidance from the National Institute of Standards and Technology (NIST).
The following are some common industry checkpoints to consider for your vendor risk management (VRM) program.
- Define your organization’s overall risk strategy and tolerance first.
- Translate the risk and corresponding security requirements into the software development process and life cycle.
- Assure all team members are educated on secure software development, open-source security, and DevSecOps practices.
- Establish monitoring parameters for security risks.
- Include security, privacy, document management, and compliance requirements in every RFP and supplier contract.
- Once you’ve onboarded a new vendor, assign a liaison from your security team to address any additional security concerns or vulnerabilities.
- Include protocols for how to notify appropriate stakeholders in the event of even a “minor” vendor breach, so that re-assessments can be considered based on risk.
- Employ a “one strike and you’re out” policy for vendor deliverables that don’t adhere to your specifications.
- All vendor components and any open-source software must be pre-approved, supervised, and controlled.
- Updates or patches cannot be implemented until the vendor key contact has confirmed that no issues were identified in pre-production testing.
- Use automation for as many of your repetitive tasks to reduce the risk associated with human intervention. Require suppliers to adhere to your automation guardrails and policies.
- Assure tracking and internal auditing procedures for all security operations are in place.
- Exercise tight control on any systems accessed by your vendors and data accessed by team members.
- Assure physical access to systems is monitored and vendors are escorted.
How Is Software Supply Chain Security Related to SCRM?
Software supply chain security goes hand in hand with supply chain risk management (SCRM), since your security measures will offer a means of mitigation for your supply chain risks. Particularly in software, much of the associated risk involves cybersecurity vulnerabilities, and this insight should be the driver for your security program.
How Can GRC Help Software Supply Chain Security?
Proper vetting of your software vendors and review of their security risks can be time-consuming and expensive. This is particularly true if you’re still using spreadsheets and attempting to manage your vetting process manually.
With GRC management software, you can streamline vendor risk management and implementation of your security objectives by automating repetitive, tedious administrative tasks.
Furthermore, our SCRM templates provide a framework to evaluate vendor risk properly, while our user-friendly dashboard centralizes your monitoring efforts in real-time so you always know where you stand.
ZenGRC automates your risk management workflows so you can quit sweating the details, and focus on tasks that grow your business, like nurturing your vendor relationships and creating a collaborative environment that allows you both to thrive.
Worry-free vendor risk management is the Zen way. Find out more by booking a free demo of our software today.