Concern about protecting software supply chains has grown significantly over the past few years. Costly software supply chain attacks, including SolarWinds, 3CX, and Log4Shell, garnered headlines internationally and focused the attention of governments and the private sector on software supply chain risk.
And for good reason. According to the research firm Gartner, almost two-thirds (61%) of all U.S. businesses were directly impacted by software supply chain attacks between April 2022 and April 2023. In the United States, software supply chain security takes center stage in federal efforts to strengthen cybersecurity. Since issuing its initial Executive Order 14028 in May, 2021, the Biden administration followed up with policy directives and guidance — many focused on improving software supply chain transparency and security.
More recently, Gartner released the report “Mitigate Enterprise Software Supply Chain Security Risks” in October, which provides guidance to private-sector companies on how to manage their software supply chain risk. Based on the findings of research conducted by the firm, Gartner makes recommendations for both software publishers and for those who manage vendor application security, so that their organizations can stay ahead of software supply chain risks.
Here are three key takeaways from Gartner’s report.
[ See the Webinar: Key takeaways from the Gartner software supply chain risk report ]
Supply chain security is a third-party risk priority
Most organizations today are using third parties to fulfill their IT needs – and that includes companies that are in the business of making software. Digital transformation and the embrace of cloud computing and SaaS (software as a service) make third-party risk management (TPRM) critical to maintaining operational integrity across industries. But what counts as TPRM is changing.
“TPRM vendors … do not provide adequate information to form a complete opinion of the risk that a vendor might pose. A superior approach to managing risk is to directly request and evaluate attestations — or other evidence — of appropriate secure software development practices."
–Gartner
For organizations to have robust TPRM that accounts for software supply chain security, Gartner recommends that they request and evaluate attestations of secure software development practices from any third-party vendor. Vendors that cannot — or will not — provide this attestation should be approached with caution and even disqualified from consideration.
Frameworks such as the National Institute of Standards and Technology’s secure software development framework (SSDF) provide guidance on how organizations should prioritize software supply chain security. That includes protecting software from malicious actions, developing software securely, and responding to vulnerabilities.
Transparency is a must-have
Modern software products consist of proprietary, commercial, and open-source code. Risks to software supply chain security, such as the exploitation of software vulnerabilities or tampering with an organization’s build and release processes, can exist in any type of application, no matter the mix of first-, second-, or third-party code.
That complex mixture prompted calls from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for greater supply chain transparency, so that development organizations can identify risks in the software they are creating, ranging from software vulnerabilities to legal risks to technical debt. The best way to provide this transparency is with a high-quality software bill of materials (SBOM), which serves as a comprehensive ingredients list for software components.
“The inability or unwillingness of a vendor to provide an SBOM should be viewed as a significant risk and potentially disqualifying.”
—Gartner
Consider new tooling to detect malware in code
As incidents such as SolarWinds and 3CX show us, both software producers and consumers need to be able to identify malware and malicious code hiding within software products.
Malicious code can make its way into software in several ways. Developers may fall prey to typosquatting attacks and will accidentally employ a malicious package from an open-source repository as a part of their non-malicious application. In more extreme cases, sophisticated malicious actors infiltrate developer accounts and development organizations, using that access to compromise development and build pipelines in order to tamper with internal code to add malicious features. That tampered code is then compiled, signed, and pushed to customers as sanctioned software updates.
“It is increasingly common for software (both open source and commercial) to be exploited by attackers as an attack vector.”
—Gartner
Existing application security testing and code analysis tools such as vulnerability scanning, static analysis, and software composition analysis are necessary but insufficient to handle software dependency risks or compromises of development and build pipelines. Gartner’s report highlights this: “Traditional application security testing tools do not typically attempt to detect malicious code.”
In addition to pinpointing this gap in traditional AppSec tooling, the Gartner report states, “There are a limited number of vendors who can support automated analysis of code to detect malware.”
Gartner mentions ReversingLabs as one of those vendors. We agree that in order to detect these kinds of threats, organizations need automated analysis tools that address first-, second-, and third-party code to identify malware and other signs of tampering in source code or compiled binaries.
Enterprises need to stay ahead of threat actors
Gartner’s recommendations listed in its “Mitigate Enterprise Software Supply Chain Security Risks” report are reflective of the growing need to secure software supply chains from modern-day attacks. As recent incidents show, both cybercriminal and nation-state threat actors are becoming more skilled in how they carry out software supply chain attacks. As such attacks proliferate, it raises the bar on the federal government, open-source communities, and enterprises to increase their scrutiny of supply chain risks and take action to prioritize software supply chain security protections.
Gartner, Mitigate Enterprise Software Supply Chain Security Risks By Dale Gardner, 31 October 2023
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Keep learning
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.