Fortra Advertisement

Cybersecurity Education Opportunity: May 23-25
The cybersecurity landscape is dynamic, and leaders have never faced such pressure. Join us for 3 days of virtual sessions at Fortra’s Cybersecurity Week. Experts will discuss compliance challenges, Zero Trust, cyber insurance, best practices, and more.

Register for the event

By Joe Fay

If it’s a surprise to you that April is the U.S. Cybersecurity and Infrastructure Security Agency (CISA) National Supply Chain Integrity Month, it might be an even bigger surprise that this is the event’s sixth year.

This year’s theme is “Supply Chain Risk Management (SCRM) – The Recipe for Resilience”, and the agency is pushing government and industry to “work together to shift from a reactive to a proactive approach for supply chain risk management.”

For good reason. Sonatype’s most recent State of the Software Supply Chain report, showed that 1.2 billion vulnerable dependencies are downloaded every month, while the number of “malicious, next-generation attacks” grew 633% year on year.

Not Just an Open Source Problem
It might be easy to think that this is all about open-source software. The Log4J crisis in 2021 certainly highlighted the havoc a problem with one small open-source component can create. However, that came barely 18 months after the SolarWinds attack, which itself highlighted how proprietary software can also represent a threat. Closed software and services often rely on open-source components and infrastructure.

As Peter Thomas, distinguished engineer and head of cloud and DevOps engineering at Deutsche Bank, told us recently at a Red Hat roundtable, it was the combination of the two that “opened the eyes of the C suite or senior management who previously didn't know that we had this risk.”

It is not surprising that the issue of software supply chain security is moving beyond the realm of exhortations and advice, and into the world of policy and legislation. The White House has made supply chain security a central part of the wide-ranging cyber security strategy it launched in March. This builds on its pre-existing effort to tighten up supply chain security, particularly for critical infrastructure, which has included an effort to encourage software bill of materials (SBOMs).

Meanwhile, the E.U. is considering a proposed Cybersecurity Resilience Act which, amongst other things, covers the responsibility and liability of software producers. An initial U.K. government consultation on securing digital supply chains is due to close on May 1, with formal policy options due in the summer.

But with the best will in the world, it’s unlikely that Washington D.C., London or the E.U. will have legislation or concrete measures in place any time soon. Even then, while this might spell out the responsibilities of vendors and developers, it’s unlikely to discourage threat actors on its own.

Responding to the Supply Chain Challenge
What can security pros do now? CISA is pushing a number of toolkits and other resources to help private and public sector organizations “go back to basics and apply actionable cybersecurity and supply chain risk management steps to strengthen their ICT supply chains”.

Meanwhile, there are industry efforts to counter the problem, at least around open source. Google donated its SLSA framework for assuring the integrity of software artifacts to the community in 2021. It is currently on its final release candidate for v1.0. The OSSF is also shepherding along the Microsoft originated Secure Supply Chain Consumption Framework (S2C2F).

There are, of course, plenty of companies offering tools and services for software composition analysis and vulnerability management.

The finance sector might give us a lead here on how different sectors can begin to think about supply chain security and start working together to tackle the problem.

Deutsche Bank’s Thomas said that open-source software was the de facto standard for software engineering, and the question is “how do you use it in the same manner that we would treat internally developed software” to ensure “it's to the same quality, we’re comfortable about its security aspects and things like that.”

Rival bank Citi last year announced plans to open-source Continuous Secure Software Ingestion tooling it had built to help manage the three million external packages it uses. The aim was to help judge the maturity of libraries developers were using, according to Citi’s director of application security, James Holland, and to head off the possibility of malicious actors working around signing and verification schemes.

Rare Financial Sharing
This is more significant than it might seem, given that financial players have traditionally jealously guarded their tech secrets and expertise, so that even as the use of open-source software ramped up, the sector developed a reputation for not contributing much back.

Thomas says that there is an increasing recognition amongst banks and other financial firms that some of the things they do could be mutualized. “And not only mutualization of development and operational costs, but mutualization of ideas and approaches.”

Initiatives like SLSA and the efforts of the OpenSSL were addressing supply chain issues, he said. “They're becoming, particularly OpenSSL, an accepted standard for high quality open-source software to be compliant with.”

At the same time, he said, they can provide a model for how financial industry regulators approach software. “So we're looking at those and you say, Okay, can we reuse these open standards?”

So, consider taking a lead from the CISA, start getting involved, and make sure supply chain security is on your organization’s agenda and consider how to work with your peers. Because if you don’t, someone else will. If you’re lucky, it’ll be the regulators or policy makers. If you’re not, it’ll be the hackers.