Software supply chain attacks have long been a concern for some cybersecurity professionals, but the conversations surrounding supply chain risk management have become more mainstream due to this year’s headlines detailing highly disruptive attacks (SolarWinds, Colonial Pipeline). Just last month we saw multiple stories about supply chain attacks that were reportedly launched by Lazarus, an advanced persistent threat (APT) group believed to be based in North Korea.
It’s clear that software companies will be taking a closer look at their supply chain security practices in the coming year, especially federal departments, agencies, and contractors that are affected by President Biden’s Executive Order (EO) 14028, which focuses heavily on supply chain security. While the EO doesn’t obligate businesses to test their software in specific ways or meet specific requirements, it does obligate the National Institute of Technology (NIST) and other agencies to create specific guidelines, and eventually the Office of Management and Budget will incorporate those guidelines into acquisition rules for companies doing business with the U.S. federal government. For companies not directly working with the U.S. government, these same guidelines are likely to become a de facto baseline for how software is built, tested, secured, and operated.
Whether you’re doing business with the government or not, it’s critical for your organization to review your supply chain security practices. Software risks are business risks—and protecting your bottom line means identifying and managing security issues at every point in the software supply chain.
Watch our latest episode of AppSec Decoded featuring Sammy Migues, principal scientist at Synopsys and coauthor of the BSIMM report, and Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center (CyRC), as we discuss why the software supply chain is an inviting target for hackers and how companies can implement a proactive approach to software supply chain security with security activities that won’t slow down innovation.