Software Supply Chain Vulnerabilities Exposed [Video]
For many years, organizations have put a focus on the sourcing of physical components used in their respective value chains. When blockchain was formed, an organization’s bill of materials became a far more powerful tool. Rather than a document showing the number of a given physical item consumed in a project, an organization with blockchain could see every input/output along the supply chain.
However, this leaves a significant problem unaddressed. In a vast number of cases, physical components make up only half of the equation. The other half involves software components. A study commissioned by the BlackBerry Product Security team found that a staggering 81% of the 1,500 IT decision-makers and cybersecurity professionals that participated have been notified of vulnerability or experienced a breach of their software supply chain in the last year.
There are numerous barriers to secure the software supply chain. The top two identified in our research include a lack of appropriately skilled team members (54%), and limited visibility (44%). Read the full research report in BlackBerry’s new white paper, Software Supply Chains: A Major Challenge for Cybersecurity.
How Can Organizations Overcome These Hurdles?
In a recent BlackBerry LIVE episode, Magnitude of Software Supply Chain Vulnerabilities Exposed (watch the video below), BlackBerry Vice President of Threat Research & Intelligence Ismael Valenzuela hosted three experts on this topic:
- BlackBerry Vice President of Product Security Christine Gadsby
- Principal Product Security Compliance & Governance Manager Tim Segato
- BlackBerry Vice President and General Manager of Critical Events Management Ken Murphy
The following is a partial transcript of the discussion, edited for brevity.
Why did the Product Security team conduct this research, Christine?
One of the things that we've always been really interested in is the supply chain, it was in many ways our first love. From the time when BlackBerry still made phones, we looked at supply chain accountability. This was because of the markets we were selling in and the customer bases that we primarily marketed to. We were, and in some cases still are, held accountable by working professionals, monolith corporations, and governments who need to be able to trust the security of our products.
Now that we’re a software company and have our own software supply chain — and especially after SolarWinds — we wanted to see how other organizations were managing. Our findings were surprising, to say the least. But I’ll let Tim get into it.
As Christine mentioned, the findings are quite surprising. For instance, 81% of respondents indicated that they've been notified and experienced a breach of their software supply chain in the last year. We knew that it would be high, but 81% is most people consuming software! I think more interestingly — and perhaps more frightening — is that 77% of respondents were unaware of some software component or supplier in their supply chain prior to an exploration exercise. There were potential vulnerabilities, and they just didn't know about them.
Another nugget we found was that 62% say that speed of communication is probably the top priority for them during a breach. 66% say they would love to entertain a single consolidated way to collaborate and communicate during a breach event, both with internal stakeholders and external stakeholders. This means or at least implies that they currently don’t have a method of doing this to the degree of efficiency that they would like.
Yes, when one of our product team members talks to a CISO, they pose this scenario to them: “You've put on all the cyber protection you possibly can, but you've been breached. What are you going to do? How are you going to get your fireteam together?" And oftentimes the CISO will say, “We’ll just send an email, or call them, or we’ll get on Slack.” The product team member says, “No, no, no, you can't, your internal network has been compromised! So, how can you communicate with your employees and other constituents?”
While you're in this situation, you can't be thinking up what method you should use to communicate. It must already be in place.
(Moving forward) you're going to see cyberattacks that will cause not only data loss but also damage or destruction of physical equipment. The systems at your factory are compromised or go down and cause a fire or an explosion. Now, not only do you need to do an emergency communication regarding an IT issue, but you also need to do an emergency communication saying to evacuate.
Read the complete report here.
Updating Your Software Supply Chain Security
Many companies struggle to effectively manage their software supply chain, and it’s understandable. The IT skill shortage shows no sign of letting up and breaking down one’s software into all its component parts can be an incredibly complex task.
However, those who are better informed are better prepared. Just as blockchain brings more visibility for the movement of physical goods through the supply chain BlackBerry is developing effective tools – such as BlackBerry® Jarvis® 2.0 – to help organizations gain visibility into their software stacks. Core benefits of BlackBerry Jarvis 2.0 include:
- Amplified visibility – BlackBerry Jarvis 2.0 lets you analyze all the software in your product without the need to access the source code.
- Time savings – with BlackBerry Jarvis 2.0 the analysis can be done in minutes, instead of months.
- Enhanced safety – BlackBerry Jarvis 2.0 detects open-source software, versions, and CVEs lets you more easily identify vulnerabilities in third-party binaries and plan how to address them.
- Compliance – meet even the toughest audit and regulatory compliance requirements, and cybersecurity standards (WP.29 R155, ISO 21434).
Addressing Critical Communications in a Supply Chain Breach
Also discussed during the BlackBerry LIVE episode is the importance of breach preparedness, especially planning for secure post-breach communications. CISOs need to have crisis communication plans in place, and the right tools to execute them. Here’s something to consider: Numerous government agencies around the world trust BlackBerry® AtHoc® to help them prepare for, respond to, and recover from critical events and emergencies. In a crisis, BlackBerry AtHoc gets clear and timely information to your team, your customers, and if needed, the public at large — so you can keep everyone safe, secure, and informed.
For more on this topic, read BlackBerry’s latest white paper Software Supply Chains: A Major Challenge for Cybersecurity.