Creating a new strategy for today’s software supply chain security

Over the past few months, major cyber attacks such as Solarwinds and Colonial Pipeline have spurred the Biden administration into action, with executive orders kickstarting a new wave of cybersecurity regulations. Notable among the ambitious plans is the focus on securing the software supply chain and the required creation of a software bill of materials (SBOM).

The imminent arrival of guidelines of standards for vendors to test their codebase has organizations rushing to evaluate all software components in their supply chain -- if they haven’t already begun. However, this is just the first step and more regulations will be rolled out through the year as more cyberattacks take place. For now, it’s time for organizations to formulate a new supply chain security strategy for the cybersecurity challenges of today, and to lay the foundation for the future.

In light of this, here are three things organizations should consider in formulating a new supply chain security strategy:

Shifting Security Left

The concept of shift left has been implemented in recent years as a way to maintain a high level of security throughout the development cycle, without slowing down the pace of development. By bringing security testing into the development lifecycle, developers can detect and fix vulnerabilities early, which can help ensure that security is baked into the product from the earliest stages of development.

Unfortunately, this framework requires developers to take on security-related tasks on top of their already heavy workload. Not only will developers have to learn how to use application security testing tools to scan their software projects, but then address an ever-expanding list of security alerts. Most developers lack the necessary knowledge needed to prioritize and then remediate these flaws. This can lead to alert fatigue and a buildup of security debt as dev teams are overwhelmed by their new security responsibilities.

As companies continue to implement shift left methodologies to help secure their supply chain, they must ensure that developers are fully supported -- not only in the adoption of vulnerability detection tools, but also in remediating and preventing vulnerabilities.

Automated Security Testing

With new guidelines around supply chain security and the need to support the adoption of a DevSecOps framework, companies must leverage automated application security testing tools more than ever.

For example, as open source components have become the basic building blocks of software products, platforms like npm, RubyGems, and PyPI become an integral part of the software supply chain. Over the past few years, the collaborative nature of these and other popular package managers and repositories has also opened the door to new software supply chain security risks, as demonstrated by the much-publicized dependency confusion vulnerability.

Rather than looking at each and every downloaded file, developers can use an automated tool to flag malicious or suspicious packages and even block them from entering their software build. Having automated solutions for the prevention of supply chain attacks relieves developers of tedious workloads and assists in addressing security skill gaps.

In addition to detection and prevention of supply chain security threats, automated tools can also speed up other tasks such as the creation of SBOMs. In the face of new regulations and requirements, implementing automated appsec tools helps teams across the organization save time and resources -- from R&D, to security, to legal and compliance.

Ease of Implementation

The recent executive orders encourage organizations to quickly adapt and implement new technologies, but considerations must be made on how easily they can be utilized. Tools that require a large investment in time and training can be difficult to properly implement or even counterproductive if given to an overburdened dev team.

Juggling multiple tools can also be counterproductive – adding unnecessary complexity to a toolkit meant to make automated solutions more practical and useful. It’s up to IT leaders to bring developers, security, and other stakeholders together to determine what technology will provide the best shared visibility into the challenges of their software supply chain – without slowing teams down or adding to their workload.

Updating Your Supply Chain Security Policies Requires All Hands on Deck

With cyberattacks becoming more sophisticated than ever, businesses and government organizations must secure their supply chain now before they are exploited. Although the orders are directed to vendors within the federal government network, all companies should heed the call to action.

It’s important to remember that the approaches described here must be informed by a carefully thought out application security strategy that takes into account not only these impending deadlines, but also the impact of security measures on the organization as a whole.