Gain insights into the Gartner® report and learn how to mitigate enterprise software supply chain risks by integrating software supply chain security into vendor risk management.
The threat of software supply chain attacks is a significant concern these days. According to the Gartner report, SDLC attacks have affected 61% of U.S. businesses in the 12-month period ending in April 2023. Due to this, Gartner projects a shift in the coming years, with an expected 60% of organizations procuring mission-critical software requiring SBOM disclosures. This represents a major increase from the mere 5% reported in 2022.
These statistics highlight a troubling reality: according to Sonatype’s ninth annual State of the Software Supply Chain report, only 7% of respondents have actively assessed security risks within their supply chains. Against this backdrop, this blog aims to distill crucial insights from Gartner’s research on software supply chain risks – covering topics such as integrating supply chain considerations into vendor risk management, advocating for transparency from vendors, and leveraging the power of SBOMs.
In the field of vendor risk management, Gartner points out an important issue. Traditional assessments and AppSec tools often do not provide enough detail to fully evaluate a vendor’s security. While these assessments and tools provide some insight, they are not sufficient for a comprehensive risk assessment.
As security risks continue to loom large, organizations are seeking concrete proof of secure software development practices from vendors. By providing such evidence, vendors can strengthen their position, build trust, and stay ahead of the game.
Gartner has emphasized the crucial importance of software supply chain frameworks in today’s fast-paced environment, particularly the Secure Software Development Framework (SSDF) created by the National Institute of Standards and Technology (NIST). This comprehensive framework includes essential components such as organizational preparedness for security incidents, preserving software integrity, ensuring secure software development, and efficiently handling vulnerabilities.
Even though SSDF sets a strong standard, some vendors may face challenges fully aligning with its criteria or may prefer to use other frameworks. In this case Gartner suggests alternative evaluation approaches, such as the Supply Chain Level for Software Artifacts (SLSA) framework, which focuses on securing software artifacts and strengthening the entire software development process.
Gartner’s analysis highlights the importance of vendor risk management, which involves secure software development practices and leveraging frameworks like SSDF and SLSA, which is crucial for ensuring comprehensive vendor compliance with software supply chain security.
The modern software ecosystem heavily relies on external libraries, including both open-source and commercial. However, this dependence introduces risks that require careful management. According to Gartner, transparency in commercial software is essential, as demonstrated by the chaos caused by the Apache Log4J vulnerability. This case highlights the critical need for a Software Bill of Materials (SBOM) to quickly identify and handle such vulnerabilities.
Gartner strongly recommends the use of SBOMs as a tool for identifying and mitigating risks in software components. SBOMs provide detailed information about software components, allowing for a rapid assessment and response to potential vulnerabilities. While some vendors may hesitate to share their SBOMs in order to protect their IP, Gartner states “The inability or unwillingness of a vendor to provide an SBOM should be viewed as a significant risk and potentially disqualifying”.
However, this approach is still in the developmental phase, particularly when it comes to commercial software. Gartner highlights the need for improved tools and information to assess the security and operational risks associated with software components in commercial settings.
While it is important to have transparency in software contents and vendor security practices, there are certain situations that demand more thorough security evaluations. Gartner advises a cautious approach, especially for systems that handle sensitive data or pose a higher risk, for example, systems that manage financial transactions, store sensitive personal data (like healthcare records), etc. They suggest that forming a cross-functional teams should be put in place to manage these assessments effectively.
These assessments cover various areas, such as creating SBOMs, detecting malware, and conducting security testing. Even though SBOMs are crucial, vendors might not provide them in some cases. In such scenarios, Gartner recommends developing in-house SBOMs using specialized tools to scrutinize software security and operational risks thoroughly.
Identifying malicious code within software, whether open-source or commercial, is critical. There are automated tools that can aid in identifying these threats, complementing traditional testing methods like penetration testing or fuzzing.
Gartner mentions that before performing any external code analysis, it is crucial to seek legal advice. Software licensing agreements often impose restrictions on testing, and laws governing security research and software rights vary. Therefore, ensuring that actions align with legal boundaries is essential.
In essence, organizations must navigate legal constraints and consider supplementary testing methods to establish a robust software evaluation strategy while aiming for comprehensive security assessments.
To tackle the complex challenges of software supply chain security, it’s important to have effective tools and solutions at hand. A platform like Legit, which offers innovative software supply chain management and strong application security posture management (ASPM), can help address these challenges.
Our platform has comprehensive features that align with the recommendations outlined in this article, making it easy for organizations to integrate software supply chain risk management into their vendor risk assessments using tools like SBOM and managing SCA scanners, providing a robust framework to strengthen software supply chains and enhance organizational security measures. Our platform allows enterprises to protect their software supply chain from attacks and provides application security posture management from code to cloud.
Ready to learn more? Schedule a product demo or check out the Legit Security Platform.
*** This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Eitan Karadi. Read the original post at: https://www.legitsecurity.com/blog/mitigate-enterprise-software-supply-chain-security-risks-insights-into-the-gartner-report