3 Trends to Watch in Software Supply Chain Security
If complexity is the enemy of security — then the modern software supply chain is in trouble. It has become increasingly complex as organizations rely on third-party components, open-source code, and external vendors to build products and services.
As we've seen from numerous high-profile incidents, the intricacies of the software supply chain introduce vulnerabilities that malicious actors are eager to exploit. This leads to a key question: How can organizations address their software supply chain security risk while enabling the business? I uncovered some ideas during a discussion on this very topic with Christine Gadsby, who is Vice President of Product Security at BlackBerry.
Watch our full discussion below or keep reading for three trends to watch.
1. Software Supply Chain Security: The Fundamental Problem
The first trend to watch in software supply chain security is around telemetry and visibility. Gadsby calls this a fundamental issue.
“One of the biggest things is that organizations are facing a lot of telemetry problems. They build a software widget, they sell a software widget, but they don't really know what's in the widget, right? And so the widget goes out and then somebody does a pen test against it and they find all these things that the widget builder didn't even know they had in their product,” says Gadsby.
However, there is a positive trend developing in this area according to Gadsby. "We’re seeing a lot of companies try to get a better understanding of what their attack surfaces are with their own telemetry,” she says.
Many organizations are now developing their own SBOMS (software bill of materials) because without understanding the third-party components and open-source libraries making up their products, it's impossible to assess and manage risks properly. There’s also an increase in the number of companies regularly monitoring for new vulnerabilities and code changes in dependencies to help ensure timely remediation.
2. The Move Towards Software Security Certifications
The second trend to watch is that an increasing number of software makers are pursuing third-party assessments of their software supply chain security practices. This reveals which manufacturers are willing to prove they take software security seriously — and it’s something an increasing number of purchasers are demanding.
BlackBerry proved itself a leader in supply chain cybersecurity when it became the first business in the Americas to gain the OpenChain Security Assurance Specification. The certification is a best-in-class validation of the company’s ability to manage open-source vulnerabilities and risks as part of its software supply chain, providing a higher level of security assurance for customers.
And there’s more where that came from, says Gadsby. “We recently recertified with OpenChain. This is just one of the many things we are doing to protect our customers and our organization. And I think this approach is gaining traction in the industry. I'm seeing a growing number of companies examining the overall cyber health of what is in their products.”
And Gadsby adds, “Our BlackBerry heritage is partly based on our cybersecurity software and platforms, which are proven to help protect organizations and that security professionals love to use — but our reputation is also built on how we build our software as well, with security in mind.”
3. Software Supply Chain Standards
Another trend to watch is happening simultaneously in multiple parts of the world. Governments and industry groups are developing new standards, guidelines, and compliance frameworks to strengthen security across the entire software development lifecycle. In the U.S., for example, the federal government is aligning best practices to mitigate software supply chain risk by building on the direction given by Executive Order 14028 on “Improving the Nation’s Cybersecurity.” This includes SBOM efforts, the NIST Secure Software Development Framework, and numerous other efforts.
Vendors are also under pressure to demonstrate robust source code protection, code signing practices, access controls and monitoring across their internal development teams and external partners involved in software builds and distribution.
“We've already seen a really big shift in securing the supply chain of software,” says Gadsby. “Right now, the responsibility for security is moving toward the vendor producing the software. We see heightened accountability of the little parts in a finished software product, which has driven a lot of good dialogue.”
Securing the modern supply chain will remain a complex challenge. But by focusing on telemetry, security certifications, and improved secure software development standards — organizations are making strides to gain visibility and control over their risks while still supporting innovation. "I'm an optimist, so I think we're headed in the right direction, and we'll get where we want to go,” says Gadsby.
Optimism in cybersecurity? Now there’s something we could use more of.
Watch our full conversation in the video above for additional details on this topic.