Building Supply-Chain Trust: The Importance of Conformance
In today’s climate, the software supply chain represents one of the most significant cybersecurity threats facing organizations. As evidenced by the SUNBURST supply chain attack, which targeted customers of SolarWinds and others, and the August 2022 Microsoft Exchange attack targeting on-premise exchange servers, threat actors are increasingly turning to software vendors as a preferred target — and an effective vector for spreading their attacks. Case in point, software supply chain attacks reportedly increased by 300% in 2021.
It makes sense from the attacker’s perspective — by successfully compromising a vendor, a criminal enterprise potentially gains access to all the clients of that vendor. In some cases, those clients are massive entities whose security the hackers would otherwise have no chance of breaching in a direct attack.
This trend is even more concerning in that software supply chain attacks are notoriously difficult to defend against. Security teams must often race against the clock as they search for a figurative needle in a haystack. Once details of an attack are made public, all security professionals can do is hope they’re able to find and remediate existing vulnerabilities before an attacker can exploit them.
Making matters worse is the fact that many organizations tend to be rather opaque about their product suite. Perhaps because they believe it grants them some competitive advantage, they often are unwilling to disclose the specific components of each solution. Consequently, clients can’t tell what their software is “made of,” so they have no way of knowing if a solution contains vulnerable elements.
If that sounds like a significant cybersecurity risk, you’re right. It is. And when the Biden administration issued a cybersecurity executive order mandating improvements to the software supply chain last year, one recommendation was to require that vendors contracting with the federal government submit a software bill of materials or SBOM.
Essentially, an SBOM lists the core “ingredients” of software solutions — proprietary code, open-source components, and the development frameworks the solutions leverage. Every company is unique, with different challenges, requirements, and ecosystems. If businesses are to achieve truly resilient and trustworthy software supply chains, there must first be an agreed-upon set of standards to which all companies may adhere.
That’s precisely what the OpenChain Project establishes. And it’s why BlackBerry is proud to be the first company based in North America to achieve whole-entity conformance with OpenChain 2.1, the formal name of the OpenChain ISO/IEC 5230 standard. This means that our entire software portfolio will be managed through an OpenChain-compliant process.
What is OpenChain?
While compliance continues to increase globally, there is not yet a great deal of awareness about the OpenChain Project or the ISO standard in North America. Since being established by The Linux Foundation in 2016, OpenChain has mostly gained traction in the EMEA and APAC markets.
The OpenChain Project defines the key elements of a quality open source compliance program. It maintains the International Standard for open source license compliance, which seeks to promote a more secure, reliable, and transparent software supply chain. This open-source standard, known as OpenChain ISO/IEC 5230, was created with flexibility in mind to ensure it remains applicable to organizations of all sizes in every sector.
OpenChain is also supported by online self-certification, an active community, an extensive knowledge base, and multiple service provider partners. This is the core of OpenChain’s adaptability. Because it offers entities multiple assessment and certification options, it’s easier for organizations to choose the solution that best fits their size, market, and situation.
The Linux Foundation, the consortium that established OpenChain, has guided the entire technology industry through a combination of well-established expertise and open source collaboration. Since 2000, it has established multiple initiatives and founded various projects intended to promote innovation in software development and beyond.
BlackBerry believes building a more resilient and trusted software supply chain is critical to the future of secure software. Moreover, we have faith in The Linux Foundation.
What Conformance Means for BlackBerry
BlackBerry isn’t just the first company in North America to achieve full entity conformance, we are also the first to collaborate with an official OpenChain Partner Company, OSS Consultants.
“It is hard to overstate the importance of [this] announcement,” Shane Coughlan, OpenChain general manager. “BlackBerry has one of the deepest industry pedigrees in bringing increased peace of mind to enterprise and governmental organizations. Their continuation of this approach to the heart of their use in open source both underlines their commitment to excellence and serves as a beacon for other companies to follow.”
We recognize that our highest-security customers are maturing. Public sector agencies and businesses in regulated industries need to know that BlackBerry lives up to its reputation. It’s why we formed a dedicated team to support our work with OSS.
“That team has made a giant impact across the enterprise,” says Russ Eling, founder and CEO of OSS Consultants. The company helped BlackBerry establish a conformant process for managing open-source compliance around our entire product portfolio, ultimately establishing an efficient Open-Source Program Office (OSPO) and team within BlackBerry. “Together, we built this awesome capability, and it’s being used companywide.”
A Proactive Approach to Security, Resilience, and Innovation
Many companies can’t effectively manage their software supply chain. To some extent, it’s understandable. The IT skill shortage shows no sign of letting up and breaking down one’s software into its component parts tends to be an incredibly complex task.
BlackBerry has the resources and the expertise to be proactive in this regard. We have the capacity to embrace industry best practices and meet even the most stringent supply chain assurance needs. While this is an enormous undertaking given the size of our portfolio, we believe the results are worth the effort.
We developed effective tools – such as BlackBerry® Jarvis® 2.0 – to help organizations gain visibility into their software stacks. Core benefits of BlackBerry Jarvis 2.0 include:
- Amplified visibility – BlackBerry Jarvis 2.0 lets you analyze all the software in your product without the need to access the source code.
- Time savings – with BlackBerry Jarvis 2.0, the analysis can be done in minutes, instead of months.
- Enhanced safety – BlackBerry Jarvis 2.0 detects open-source software, versions, and CVEs to let you more easily identify vulnerabilities in third-party binaries and plan how to address them.
- Compliance – meet even the toughest audit and regulatory compliance requirements, and cybersecurity standards (WP.29 R155, ISO 21434).
Another Layer of Security and Risk Management
With OpenChain, BlackBerry customers have another layer of security and risk management atop their existing software.
Our conformance with OpenChain also represents a key milestone in our growth. It demonstrates our maturity as a cybersecurity software vendor. It provides clients with the assurance they need to adopt BlackBerry® solutions at even the highest levels of the public sector.
And above all, it’s proof that when we say something is “BlackBerry Secure,” we aren’t parroting empty words.