Three Pillars to Strengthen Software Supply Chain Security

In the past year, more enterprises have begun to see the bigger picture when it comes to software supply chain security (SSCS). Government calls to action, such as the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028) and subsequent guidance, as well as new regulations such as the PATCH Act stress the need for securing software supply chains that encompass both open source and commercial software.

While this momentum for change is promising, as per our understanding, Gartner is now signaling that enterprises need to do more to shore up their software supply chains. This latest Gartner report, Leader’s Guide to Software Supply Chain Security, shares that despite “almost two-thirds of organizations reporting that they have already implemented SSCS initiatives,” and “multiple incidents and metrics reveal those efforts — which are often uncoordinated across the organization — have failed to address serious gaps in security.” The estimated cost of software supply chain attacks “runs to tens of billions of dollars and is expected to grow 200% to $138 billion by 2031,” Gartner notes. In short: Enterprises can no longer afford the risk of skimping on a quality SSCS program.

Here's a look at the Gartner report’s new definition for comprehensive SSCS, the strategy the analyst firm has put forth for enterprises to achieve it — and how RL Spectra Assure, ReversingLabs’ SSCS solution, enables businesses to meet the demanding standards set by Gartner’s new report.

Get the new Gartner report: Leader's Guide to Software Supply Chain Security

Bigger than AppSec: Defining comprehensive SSCS

This latest Gartner report builds on their October, 2023 report, “Mitigate Enterprise Software Supply Chain Security Risks.” RL assets that report called out cybercriminals’ favored attack vectors, which go beyond the exploitation of open source software components and vulnerabilities. RL believes the new Leader’s Guide takes this sentiment a step further by pointing out the attack surface goes beyond open source:

Attacks on the software supply chain, including both proprietary and commercial code, pose significant security, regulatory and operational risks to organizations.

Because traditional application security tools such as SAST, DAST, and SCA are unable to go beyond the detection of software vulnerabilities and past the final build, enterprises need to look for tooling that does more for SSCS. Gartner states in their new report that enterprises should “implement active testing (binary analysis, penetration testing, etc.) of code, especially for sensitive or high-risk systems.” Technologies like complex binary analysis allow security teams to spot all kinds of threats, such as malware insertion, tampering, secrets exposure and more.

Gartner also points out that cybersecurity risk managers need tools that can identify if there is malicious code in commercial software. We agree, which is why we think in order for enterprises to achieve comprehensive SSCS, they will need to look for a security solution that can scan the full commercial software binary. Software vendors do not typically make available their source code. This is why Spectra Assure does not require source code.

The three pillars of SSCS

In addition to finding the best security tool that will allow your enterprise to spot threats lurking in open source, proprietary, commercial software, and all other artifacts, Gartner also stresses the importance of developing a coordinated SSCS strategy. Gartner explains what this coordination should resemble in their new report:

Identify stakeholders from security, software engineering, procurement, vendor risk management and other parties; educate them on the risks involved and support their required actions to mitigate dangers.

RL believes that in order to point enterprises in the right direction, the Gartner report shares a new, simple, and high-level definition of SSCS that will enable organizations to quickly understand their security gaps from all points of the business:

Software supply chain security is the set of processes and tools used to curate, create, and consume software in ways that mitigate attacks against software or its use as an attack vector.

Based on this definition, Gartner then outlined “The Three Pillars of Software Supply Chain Security,” which include the following:

• Curate: Assess the risks of commercial software and its acceptability
• Create: Ensure secure development and the protection of software artifacts and the development pipeline
• Consume: Validate the integrity of software through verification, provenance and traceability.

These three pillars of SSCS resonate with each stakeholder that should be responsible for securing an enterprise’s software supply chains – from third-party risk managers, to software engineers, to cybersecurity teams – respectively. Gartner report states that “cross-organizational coordination and information sharing can improve outcomes by ensuring a consistent approach to SSCS standards.”

A rare solution that provides coordinated, comprehensive SSCS

Unfortunately, enterprises that want to run out and acquire the kind of solution Gartner is describing may be frustrated. Gartner makes it known in their report that “relatively few vendors offer a comprehensive solution that completely spans all pillars of the SSCS framework.”

However, RL is one of the few vendors that does offer such a solution. RL Spectra Assure addresses each of the three pillars listed by Gartner. Using complex binary analysis, Spectra Assure can vet open source, proprietary, and commercial software across the entire supply chain: from curation of safe components to development, secure creation and release, as well as secure consumption with the proper assessment and management when procuring software — as well as deployment and ongoing monitoring. Spectra Assure offers comprehensive and coordinated coverage of threats to enterprise’s software supply chains, all powered by one solution – making it much easier for enterprises to enable consistent information sharing, simplified vendor management, and more.

To learn more about how your enterprise can properly build a comprehensive and coordinated SSCS program, in addition to assessing which security tool is best for your organization, download their new report: “Leader’s Guide to Software Supply Chain Security.”

Gartner, Leader’s Guide to Software Supply Chain Security, By Dale Gardner, Manjunath Bhat, 20 June 2024.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.