CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
CIOReview | | 9 JUNE 2023Although the term "software supply chain" can mean the full set of services and software being used, down on the lower levels of development there is a complex set of dependencies that are used to build specialization in the softwarehave been used by the attackers to compromise the integrity of Okta's source code. To address these types of concerns at the national level, the White House in the year 2021 issued an executive order called the Executive Order on Improving the Nation's Cybersecurity. In this EO the White House focused on the supply chain and how software is managed, acquired, deployed, and used by federal departments and agencies. Specifically, it requires the software purchaser (in this case the federal agency) to ensure that the software producer has followed a risk-based approach to secure their software. This allows the software purchaser to make a well-informed decision about the software they are about to procure. Although this EO only addresses federal entities, this type of requirement is quickly becoming a de facto standard for other non-government entities. Those of us that work in an application or product security are no strangers to being pressed on our processes for ensuring the software we deliver is free from risk and vulnerabilities.You may find yourself as one of the organizations needing to attest to the security of your software or are simply looking to secure your software dependencies. Here are some simple steps to consider:· Ensure that the dependencies you are using are from a reputable source and are well maintained. Ideally, the source will be able to provide notifications in the event that the component they are offering becomes compromised. · Build an inventory of the software and the dependencies you have in-house. Additionally, have the ability to dynamically update the inventory as new software is developed. Often you can find support for this in the source code manager (SCM) that you use, or you can use a third-party tool to track and manage your dependencies.· Have a process for monitoring for new vulnerabilities that can impact your software and the dependencies. This can be done through services that monitor the NVD (National Vulnerability Database), or through your chosen tool in the previous step. · Have a process to patch, test, and deploy new dependencies as they become available. When new vulnerabilities are released in these dependencies, oftentimes the remediation is to upgrade to the newest version of the software. Attackers can move rapidly to take advantage of a newly released vulnerability. Often exploit code is available within hours of public disclosure. For an organization that cannot patch and deploy for days or weeks, this can spell trouble. · Have a process to replace components that are abandoned or sunset by their developer. Much like the software you create, other components will have a shelf life that needs to be considered by the consuming organization. Whether you are using a tool to manage and monitor your dependencies, being able to address security in the software supply chain requires quick detection and remediation to reduce the risk and exposure to your organization. Derek Fisher
< Page 8 | Page 10 >