Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by
Where Does Trace-Based Testing Fit in the Testing Pyramid?
Jun 5th 2023 7:52am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
The Cedar Programming Language: Authorization Simplified
Jun 2nd 2023 6:07am, by Alex Williams
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by Joao Pedro Voltani and Joao Granzotti
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by David Cassel
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Open Source Jira Alternative, Plane, Lands
Jun 2nd 2023 9:00am, by Darryl K. Taft
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
My Further Adventures (and More Success) with Rancher
Jun 3rd 2023 7:00am, by Jack Wallen
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Edge Computing / Security

9 Supply Chain Security Best Practices

In this post, we share the top supply chain security best practices every organization should follow for optimal results.
Dec 29th, 2022 6:00am by
Featued image for: 9 Supply Chain Security Best Practices

It seems like everyone’s talking about the supply chain. Worse — they’re talking about how it’s never been so disrupted. Supply chain disruptions are up by 46% from the first half of 2021, and experts say we won’t see relief anytime soon.

While no one entity can change the face of the global supply chain, there are changes you can make within your own organization to help shield you from disruption. It starts with heeding supply chain security best practices:

What Is a Supply Chain?

A supply chain encompasses all the processes involving producing goods/services and their ultimate delivery to the end customer. These processes often include multiple enterprises that may directly or indirectly influence the goods/services of different partners, vendors and suppliers.

Ultimately, a supply chain is all about getting customers what they need at the right place, time and price.

What Are the Four Types of Supply Chains?

More specifically, the supply chain can be broken up into four main types: products, facilities, vehicles and routes. Each of these entities must operate in concert to successfully produce goods/services and deliver them to the customer.

  • Products: the goods in demand
  • Facilities: where products are made, stored, sold and/or consumed
  • Vehicles: how products are transported between facilities
  • Routes: how vehicles travel between facilities to efficiently move products

What Is Supply Chain Security?

While supply chain security is becoming a more talked-about topic, it lacks a singular definition.

Essentially, supply chain security is all about managing the risks that threaten each part of the supply chain and its participants. For an enterprise, this means identifying, analyzing and figuring out how to mitigate the risks of working with different vendors, suppliers and other service providers.

Supply Chain Security Examples

Supply chain security encompasses both physical security and cybersecurity, with the latter taking on an increasingly bigger role.

For example, threats to physical supply chain security include theft or sabotage. These can be mitigated by running background checks on personnel or requiring vendors to secure shipments with specific guidelines.

On the other hand, threats to supply chain cybersecurity include malware attacks, piracy or maliciously injected backdoors. Organizations can minimize these threats by subscribing to supply chain security best practices.

Importance of Supply Chain Security

Supply chains are becoming increasingly global and, thus, increasingly at risk of attacks.

A supply chain attack is any attack that targets elements of the supply chain with the intent to damage departments, enterprises or even entire industries. These attacks can range from data breaches to ransomware attacks to a host of other malicious activities from bad actors. And the effects of such attacks are dire: For example, the global average cost of a data breach is estimated at $4.35 million.

To carry out a supply chain attack, attackers often target the weakest links in the supply chain. Usually, these are small vendors or open source communities that lack robust cybersecurity postures. Target, for example, infamously suffered an attack that cost $61 million, which began when their air-conditioning supplier was compromised.

While it may seem insignificant, even a single security incident with a small third-party supplier can wreak havoc on the greater supply chain. By comprising just one party, attackers can set off a domino effect to destabilize the greater supply chain.

How to Design a Complete Supply Chain Security Strategy

Without proper supply chain security, organizations risk falling pretty to an attack and suffering delayed deliveries, damaged products, compromised personal data, and even a tarnished reputation, among many other operational and financial consequences.

Creating a complete supply chain security strategy is paramount to staying safe from would-be attackers.

What Is a Supply Chain Security Framework?

To do so, many organizations are turning their attention to supply chain security frameworks, such as the NIST framework. In fact, for federal agencies and contractors, President Biden’s Executive Order on Improving the Nation’s Cybersecurity makes the use of a software supply chain security framework mandatory.

These frameworks are designed to help organizations understand the main pillars of supply chain security so they can identify cybersecurity risks and take steps to mitigate them, as well as prepare for what to do in the event of an attack.

Supply Chain Security Best Practices

While cybersecurity frameworks provide a good overview of general supply chain security requirements, they offer little in the way of a detailed plan for execution.

What organizations need is a guide for a multifaceted approach to supply chain security — but there is no one playbook that can suit the needs of every organization.

Instead, as organizations develop their own approaches to security, leaders should heed supply chain security best practices:

1. Get to Know Your Data

It sounds simple, but it cannot be overlooked: You must understand your own data, i.e., what kind of data your organization stores and how sensitive that data is.

To do this, use discovery and classification tools to locate databases and files in your organization that have sensitive data, like customer data, financial information, health records, etc.

Next, consider the following:

  • What data needs to be protected?
  • Who has access to this data?
  • What security measures are already in place?

2. Conduct a Supply Chain Security Risk Assessment

Just understanding your data isn’t enough. You also need to know your supply chain through, and through so that you can identify possible security risks and take steps to prevent them.

Start by gathering information about your third-party partners. What cybersecurity measures do they have in place? Consider each partner’s vulnerability level, breadth and depth of access to your data, and the effect on your organization if their security is compromised.

Next, assess the software and hardware products that your organization uses. What are their weakest points?

And don’t forget about compliance. Evaluate the existing security governance and consider where your organization may need to pivot.

3. Establish a Detailed Security Program

Supply chain security frameworks are helpful, but they don’t constitute a complete plan of how your organization will handle supply chain security.

Take the time to develop a complete program — and put it in writing.

Create a document that describes all objectives and tasks for your supply chain security posture and outlines all policies, processes, procedures and tools your organization will use. Ensure accountability by assigning specific roles with clear responsibilities.

Again, pay attention to compliance — and not just to your own. Ensure that all your partners understand what standards and requirements they must uphold to access and use your data.

4. Strengthen Your Data Management — Now

Supply chain security management is an ongoing task, but as you get started designing a new program, there are things you can do right away.

For example, you can immediately mitigate some vulnerabilities by updating poor password policies and eliminating default passwords.

It’s also a good idea to conduct penetration testing. By working with penetration test specialists, you can pinpoint vulnerabilities in all applications across your organization and IT infrastructure that pose a grave risk to the greater supply chain.

5. Evaluate Your Third-Party Partners for Risk

As your connections to third-party organizations grow, so do your supply chain security risks.

This means third-party risk management must always be top of mind.

Start by connecting your internal team with your organization’s third-party partners and vendors. Work together to identify major risks, such as a system shutdown or data breach. Then, prepare for the inevitable by discussing the potential damage to your organization if one of these events occur and how you can mitigate the effects.

6. Communicate Continuously with Your Partners

As supply chain security is an ongoing challenge, you’ll need to collaborate closely with your partners.

Throughout the life of your relationship, you must continuously work with your partners to monitor security risks, assess their severity and plan ways to prevent them.

Maintaining regular communications with your partners will go a long way in ensuring that everyone is on the same page when it comes to security.

Consider using service-level agreements (SLA) to make communication clear from the get-go. This will help ensure that all supply chain security requirements are standardized across all third parties, which will help with compliance and also hold teams accountable. Along with all necessary security requirements, an SLA should include the duties of each party, the metrics that will be used to measure compliance and the stipulated fines for each violation.

7. Limit Your Partners’ Access to Your Data

Communicating with your partners is an important component of good supply chain security. But above all, the number one supply chain security rule — Don’t trust your supply chain.

After all, the more people who have access to your data, the harder it is to ensure its security. Limiting all third-party partners’ access to your organization’s sensitive data can reduce the chance of data breaches and other security risks.

To decide where to limit access, start by conducting an audit. Determine which partners have access to what data — and why. Do they really need access to this data? To keep partners’ access streamlined, consider employing the rules of least privilege or adopting zero trust security.

8. Monitor Your Partners’ Activity

The importance of maintaining good communication with your partners can’t be overstated. But supply chain security best practices also recommend continuous activity monitoring for all suppliers, vendors, and other third-party partners. While it may sound obtrusive, monitoring third-party activity is actually a common IT compliance requirement.

By monitoring all external users accessing your organization’s network, you can help prevent bad practices and actors from slipping through the cracks.

Monitoring also proves useful in the event that there is a supply chain attack, as it can help your organization identify where the attack originated so you can take steps to patch up the weak point.

9. Develop an Incident Response Plan

No matter how robustly you prepare your organization’s supply chain security, attacks will happen, and your system will be compromised.

That’s why supply chain security best practices are about more than just prevention — they’re also about preparation.

A key part of your supply chain security program should include an incident response plan. This plan should detail everyone’s roles and all the procedures to follow in the event of a security incident. Make sure you have distinct plans for data breaches, system shutdowns and other security disruptions.

And don’t just write down these procedures. Test them, practice them and ensure that they are ready to be executed.

In Conclusion

The supply chain is fragile, making maintaining solid supply chain security a dangerous game.

While you can never be sure to eradicate all threats, following supply chain security best practices will position your organization to prepare for them and mitigate their effects.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
A Platform for Kubernetes The Need for Speed: Why Eleventy Leaves Bundlers Behind The Distance from Data to You in Edge Computing What Are Time Series Databases, and Why Do You Need Them? Why a Cardboard Box Is the Biggest Enemy of Edge Kubernetes
RELATED STORIES
The Distance from Data to You in Edge Computing Why a Cardboard Box Is the Biggest Enemy of Edge Kubernetes Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods Startup pgEdge Tackles the Distributed Edge with Postgres 7 Hardware Devices for Edge Computing Projects in 2023
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.