4 Practical Ways to Step Up Your Software Supply Chain's Security

by Brad Garland

When it comes to optimizing your software organization’s security regime, you’re probably used to focusing on end products and your own infrastructure's regulatory compliance concerns. While your software-supply chain probably isn’t the number-one place you think of when you’re planning to hone your security measures, it’s still a vital cog in the machine. That makes it an area that requires robust security measures.

Even better, increasing the security in your supply chain sector can improve your productivity and the quality of your products while also reducing your security risks. Whether you’re operating with an information-security consulting partner or working with your own resources, here are four tips to improve your supply chain security management.

information security consulting

1. Assess Your Warehouses

If you’re like most software-development companies, your warehouses are bursting at the seams with multiple generations of components. In its "2016 State of the Software-Supply Chain" report, Sonatype, managing organization for the Central Repository, revealed that 10,000 new component versions enter the development ecosystem every day. The report also highlighted the fact that enterprise organizations download nearly 230,000 components every year, marking a vast repository of assets.

Whether these components are bits of fully developed software, chunks of random code or even entire platforms, these assets can pile up over time and obscure hidden security concerns. Outdated code, obsolete modules and even components that were originally secure won’t remain that way indefinitely since software ages quickly. Indeed, Sonatype says that components that are more than 3 years old are more than three times as likely to contain vulnerabilities when used in modern environments, marking a clear information security concern.

What is the state of your warehouse, and how are you tracking your inventory? If you don’t have quick answers to those questions, it’s probably time to re-evaluate your relevant procedures. Without a reliable and well-structured way to keep tabs on your warehouse inventory, you’ll find it difficult — if not impossible — to figure out how much of that material is old, defective or otherwise a potential risk.

2. Automate Design Review and Approval Processes

With hundreds of thousands of software components “in the mix” in most development organizations, you can’t rely on manual reviews to ensure an effective security regime in your design and approval processes. Beyond being insecure, manual reviews are simply too inefficient at wading through your assets to be your only means of verification. Furthermore, manual reviews are utterly incapable of scaling with your productivity over time.

This vital point means that the mere fact of entering the software-component supply chain means your company is inevitably going to come into contact with risky assets. While the open-source community operates with a collectively robust security environment, the sheer mass of data at play means risky components are inevitably going to slip through around the margins. Indeed, Sonatype’s own assessments reveal that nearly 7 percent of components that are currently in use for applications have at least one known security defect, but they are still entering the production stream.

The last thing you want is to make your organization less secure while it grows, so your security policies should be able to keep up with that growth in your software and its supply chain. Preferably, you need automated processes for design review and approval, including vendor due diligence. Vendors still need reviewing even if they’re only one step in an overall verification regime that also includes manual inspections.

3. Start With the Best

One of the most effective ways to keep your software-supply chain secure is to ensure that you’re only making use of the best components to begin with. Rigorously vetting your assets at the very start of the development process allows you to build a solid foundation for every project’s entire life cycle.

software supply chainBy working only with the highest-quality software elements and information-security procedures from the get-go, you make it easier for developers in the late stages and subsequent generations to maintain a highly secured status quo. A top-notch foundation ensures those developers won’t need to waste time on unnecessary security patches, so your developer's productivity increases in the process. Additionally, setting high standards for your components has dividends in every area of their use because reviewing assets from a security standpoint also gives your personnel time to assess other factors that determine their quality.

4. Implement Continuous Monitoring

In the modern development world, third-party components make up more than 80 percent of most applications, and only 20 percent of code comes from in-house development. Therefore, monitoring the security of your supply chain can’t be a one-off event.

Different components come into the development process at varying stages, so monitoring needs to occur across the entire life cycle for visibility and traceability at every stage. Ideally you’ll be able to implement developer-focused decision making, so the employees with the most hands-on experience with your components are also at the front line of your monitoring procedures to maximize your cybersecurity and safety.

You can guarantee that your organization isn’t letting risky components linger by putting the best information-security practices into place at the start of your development cycles and then using continuous monitoring and automated reviews to maintain your assets.

Contact us today to find out how your organization can maximize the security of your software-supply chain.
Info Security Cheat Sheet