There are many factors that business leaders must take into account when developing their software supply chains. Obviously, financials are a factor, as are reliability, convenience and support.
One key issue that has frequently been overlooked is security. As supply chains become more complex and software-dependent, the risk of a data breach grows. An organization that works with vulnerable code from a third-party supplier will be in serious danger of experiencing a major security incident.
Recently, Dark Reading highlighted both the danger posed by unreliable supply chain security, as well as critical steps that companies can take to protect themselves. Key to such efforts are the use of preventative tools, such as static analysis and open source scanning solutions.
Supply chain vulnerability
As the news source noted, one of the most significant data breaches in history – last year's attack on Target – originated with a supply chain security issue. Cybercriminals gained access to a third-party service provider, which in turn allowed them to steal 110 million records from Target itself. The damage wrought by this attack was devastating, and it is still unfolding in the form of ongoing litigation and a severely tarnished reputation.
The problem when it comes to supply chain security, as Dark Reading reported, is that most companies struggle to gain visibility into third-party suppliers' security practices. This is true even when organizations rely heavily on these partners for mission-critical services. And considering the number of firms that may be involved in an enterprise's supply chain, it may be difficult, or even impossible, to examine each partner individually, as Steve Schlarman, strategist for compliance and security at RSA, told the news source.
"I have seen customers that have hundreds of vendors in their ecosystems. Digging into every one to get 95 percent confidence in the controls will never happen," he said, Dark Reading reported.
With that in mind, it is essential for businesses in every industry to take proactive steps to protect themselves from the risks posed by supply chains.
A major component of such an effort should be the implementation of high-quality code evaluation tools. In most cases, this should include both static analysis and open source scanning solutions. These tools are invaluable, as they allow a company to identify potential security flaws embedded in third-party suppliers' code early on, before these vulnerabilities find their way into the final product.
One of the key benefits of these solutions is that they are automated. This means that companies can forego the tedious, untenable process described by Schlarman and still succeed at identifying problems that demand attention. Without these resources in place, organizations will struggle to ensure that the third-party code is truly reliable.
Companies should also take steps to protect their in-house data, Dark Reading asserted. Specifically, the source recommended a layered defense strategy, one that incorporates a firewall and data encryption measures. Encryption is particularly important, as this can ensure that sensitive corporate data remains protected even if it is accessed by an unauthorized user.
The source further emphasized the need for businesses to keep close track of precisely which third parties have access to corporate computer systems and networks. Depending on the nature of the specific enterprise and its supply chain, it is very possible that some third parties will require a high degree of access.
However, there is no reason for this level of access to extend to every member of the supply chain. Instead, companies should thoroughly consider their relationships and make access decisions on a case-by-case basis.