JUST because the component you add to your application is secure today doesn’t mean that the application would still be secure tomorrow.
That’s due in large part to the complexity of the software supply chain: the mix of proprietary and open source code, APIs and user interfaces, application behavior, and deployment workflows that go into building software applications.
For enterprises developing software, security issues at any point along this chain, at any time, could put your organization and your customers at risk. How could you ensure your software supply chain is secure, and prove it?
Codebase, supply chain security risk
A flaw anywhere in the supply chain cascades out from the point of origin of the vulnerability or breach, sometimes all the way to the end user, and it has the potential to have devastating impacts. Because of its complexity and connectivity, the software supply chain presents an ever-expanding attack surface. For example, threat actors could take advantage of compromised software and the frequent communication across networks to get privileged access to networks and organizations. That enables these bad actors to bypass perimeter security and appear as legitimate users or accounts, and once inside — and with permissions — they could wreak havoc.
Do you know the composition of the software in your applications — including both open source and proprietary code? Do you know which components and versions they use? Open source software is everywhere; it’s a critical component in all modern application development. Our analysis of commercial codebases in the Synopsys “Open Source Security and Risk Analysis” report shows that almost all (98 percent) codebases contain open source software. And that number is 100 percent in the energy and clean tech, cybersecurity, Internet of Things, and computer hardware and semiconductor industries. The report also shows that 81 percent of codebases contain at least one known open source vulnerability.
As a result of the prevalence of open source software, the supply chain is more complicated and obscure, and involves more links and dependencies than ever before. The only way to mitigate the risk is to maintain visibility into the open source software in use and address the areas of risk as they are identified.
Additionally, your proprietary code is written by developers, who tend to not have much security experience or training. Similar to open source software, the risks of proprietary code are complex and could be difficult to identify, even by seasoned security experts. However, these vulnerabilities in your own code could serve as entry points to sensitive data and systems. This is why it’s so important to secure proprietary software alongside third-party code in an application.
Software supply chain attacks
Hackers are increasingly targeting the supply chain because there is a high return on investment. And because hackers are getting what they want, these attacks are becoming more mainstream. Gartner predicts that by 2025, 45 percent of organizations worldwide would have experienced attacks on their software supply chain. And because of the dependencies and connectivity, flaws and vulnerabilities in applications create risk for organizations several degrees away from the initial attack vector.
Building trust with a software
The way to secure the software supply chain and build trust with your customers and suppliers is to take a proactive approach to securing the software supply chain with a software Bill of Materials (SBOM). An SBOM, often generated by a software composition analysis tool, is a comprehensive inventory of the components used to make up a piece of software. It lists all the open source and proprietary code, associated licenses, versions in use, and patch status. A more complete SBOM also includes download locations for components and dependencies, and any subdependencies the dependencies link to. The specific items and amount of detail included in an SBOM depend on the organization and its clients and partners, any relevant regulatory agencies, and what information they need. This data is intended to be shared across companies and communities, to enable other organizations to create their own complete software Bill of Materials.
Hardening the supply chain
Security is only as strong as its weakest link. The software supply chains that build today’s modern applications are intricate and complicated, and any security issues along the chain could leave your organization, or your customers, at risk of an attack. To gain the trust of your consumers and comply with industry standards and regulations, you must harden your supply chain against security threats — and demonstrate that you’ve done it. Learn more about what a software supply chain looks like, the risks involved, and how to build a comprehensive approach to supply chain security so your organization is not the weakest link.
Mike McGuire is a senior product marketing manager at Synopsys, an American electronic design automation company that focuses on silicon design and verification, silicon intellectual property, and software security and quality.
