Manage Security Risk in Your Supply Chain

Supply chain challenges have been in the news for quite some time. What hasn’t been a part of that discussion is the potential security risks to both physical product supply chains and the software supply chain.

The issue caught the attention of President Biden, who issued an executive order on May 12, 2021, titled “Improving the Nation’s Cybersecurity.” In section four of the executive order, “Enhancing Software Supply Chain Security,” multiple directives were issued, including instructions for publishing guidelines related to software development security for a wide range of issues concerning developing and deploying critical software.

A result of the executive order was a special publication by the National Institute of Standards and Technology titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM),” published in May of 2022. This 326-page document outlines a range of actions and prescriptive controls to implement C-SCRM practices.

The Threat

The Cybersecurity and Infrastructure Security Agency (CISA) is leading government efforts by establishing a central reference point for multiple initiatives to address supply chain security risks. The CISA website has links to a wide range of informational and educational content. Information and communications technology (ICT) serves a critical role in our nation’s technology infrastructure. CISA has helped to sponsor the ICT Supply Chain Risk Management Task Force to identify and develop strategies focused on ICT supply chain security.

Many of the general supply chain threats sound similar to those you would expect to find in a list of corporate network security threats. The most prevalent attack comes from granting privileged access to outside vendors or to third-party software. This type of threat can be mitigated using a zero trust approach to granting privileges.

Another potential threat comes in the form of communications between a vendor’s network and the vendor’s software located on a customer’s network. While ostensibly used to provide software updates and even security fixes, this type of communication could be used as an attack vector by a malicious actor.

The Microsoft Open Source Software (OSS) Secure Supply Chain (SSC) Framework is an open guide to establishing best practices with regard to open source software used in supply chain software. The guide provides both potential threat sources and best practices to mitigate those risks.

Software Supply Chain Risk Management

CISA identifies five key steps needed to formulate a risk management program with regard to software supply chain security.

1. Identify your key mission or business processes — what essential services do you provide or what drives your revenue?
2. Maintain an inventory of your organization’s current and future software licenses.
3. Research and document how each software license is supported by its supplier (e.g., Are patches provided? Does the supplier offer periodic email updates about the product?)
4. Understand how your software (current or future purchases) supports or otherwise relates to your key processes.
5. Document how you would address software for which a vulnerability is disclosed.

Risk Mitigation

As one of the first steps toward mitigating risk, corporate support for a supply chain security policy should include simple things like a password policy, a corporate commitment to funding support for a cybersecurity team, and regular employee education. Many incidents, such as ransomware, find opportunities through email phishing campaigns and other personnel-involved attacks.

One of the key essentials identified in the CISA ICT SCRM Essentials document requires you to know your supply chain and suppliers. This includes identifying your supplier’s sources when possible. This can help identify any potential risks connected with external situations, such as international shipping bottlenecks.

Software Development Security

Developing and deploying software in a secure fashion is no small task. The CISA publication “Securing the Software Supply Chain: Recommended Practices Guide for Developers” lays out a set of recommended guidelines “to help secure the software development life cycle (SDLC).” The Association for Computing Machinery (ACM), Carnegie Mellon University, the Massachusetts Institute of Technology and others are listed as references for examples, SDLC processes and practices, and additional information.

The NIST publication titled “Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities” is also listed as a primary source for risk management as well as steps that should be taken in the full life cycle of software development. This includes such things as programming languages, test frameworks, source code control and the use of standardized development environments.

Another consideration called out by the Recommended Practices Guide concerns threats posed by insiders. While rogue employees can’t always be prevented, policies can be put in place to help reduce the risk they present. This can include education in writing secure code and the use of least privilege when necessary.

Bottom Line: Supply Chain Security Risk Management

Making security a priority throughout the supply chain, including the software supply chain, will greatly reduce corporate risk. CISA provides a wealth of resources to help any team get up to speed on the latest standards and procedures related to supply chain security. Better to invest in the necessary resources and personnel ahead of time than pay the price of a significant compromise down the line.