In his 2001 book From Analogue to Digital Supply Chains Tony Hines coined the term “digital supply chain” to explain the electronic distribution of goods or services that had previously been supplied in physical form. The digital delivery of media including movies (Netflix), books (Kindles), and music (MP3s), transformed the consumer experience. Similarly, the delivery of business software and services digitally (not in a box!) transformed the organizational experience.
The digital supply chain has remained a relevant concept especially as recent cyberattacks leverage digital supply chain vectors to exploit weakness in the interconnected digital business landscape. The massive SolarWinds attack stands out as a significant, far-reaching event that has left many organizations on high-alert. To compound SolarWinds, this summer’s Kaseya supply chain attack has many organizations wondering about the security threat any third party software provider can introduce.
Before signing a contract with a software provider, there are questions your organization can ask to understand the software’s security implications to the organization’s digital supply chain. After purchase and installation, there are actions your organization can take to protect against third party software vulnerabilities and compromises. Here are three quick tips to implement before signing a contract with a third party software provider and concepts to implement during the relationship.
You might ask a potential software vendor these questions:
Does the vendor have an integrity process that checks for software updates?
Can vendor software comply with security best practices, like running in least-privilege mode? (Many software platforms are required to run in privileged mode which means the software can take full possession of the system on which it is running.)
Aside from questions (and relying on vendor attestations), penetration testing can provide valuable insight as to whether an application has strong business logic and security controls in place (e.g.: authentication, authorization, etc.). Also called a pentest or ethical hacking, penetration testing is an authorized, simulated cyberattack demonstrating potential for unauthorized parties to gain access to a system. Security Magazine offers a comprehensive overview of why penetration matters and practical steps to build a penetration program.
With vendor software that companies purchase and then install in their own environments, such as SolarWinds and Kaseya, it is especially important for customers to know the expected behavior of such software to monitor for the unexpected. A firm understanding of the software bill of materials (SBOM) will clarify the open source and commercial software components of the solution and what might constitute a vulnerability. (However, your organization should not expect vendors to provide source code for review as it is intellectual property.) A solution for Continuous Monitoring should be in place to detect and alert when unusual modifications are made to the operating system or on installed software.
The pervasiveness of cyberattacks in the past year brings a collective focus on the digital supply chain – those less-tangible processes and technologies that enable a more efficient business. The digital supply chain and the third parties you include in it are every bit as important as your physical supply chain. Your digital supply chain makes your organization vulnerable to coming under siege by cyberattack. Awareness of the vulnerability your vendors introduce is the first step towards mitigating the risk.