security

14 Smart Strategies For Establishing A Secure Software Supply Chain – Forbes


Just as contractors construct a building using established processes and plans as well as premade and precut materials, a software program is built on the foundations of established development practices and previously written, working code, some of which may not be the sole intellectual property of the company creating the software. Indeed, much of the code underlying modern software is open-source—meaning it’s accessible to, and editable by, almost anyone.

This means all software has a supply chain that includes all its component parts as well as everything that happens during its ideation, creation, deployment and maintenance. And security vulnerabilities can be introduced at any point, making it essential for tech leaders to establish practices to monitor and protect each link in the chain. Here, 14 members of Forbes Technology Council discuss smart strategies for establishing a secure software supply chain, and why they’re so important.

1. Stress Security Throughout The Entire Value Stream

Security can’t be something owned by one part of the business or left to the end. Security needs to be part of the strategic plan and continued throughout the entire value stream. It isn’t something that can just be scanned for just prior to production. Teach your teams why security needs to be part of the entire flow rather than just giving them the release criteria. Include them in the “why.” – Laureen Knudsen, Broadcom

2. Ensure You Have Visibility Into Your Supply Chain

Observability is essential. If you can’t “see” your supply chain—whether through an actual visual representation or a digital breadcrumb trail—you won’t be able to analyze it and monitor its health over time. Supply chains are naturally complex, but it’s imperative to find ways to analyze these chains to support their evolution and development and ensure their long-term viability and security. – Lewis Wynne-Jones, ThinkData Works

Readers Also Like:  AI regulation push in U.S. continues as Schumer announces plans ... - The Washington Post

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


3. Establish A System To Inventory And Manage Software Supply Chains

Most organizations have poor visibility into the choices developers are making and the dependencies in their software. Without a preexisting inventory of all the components, when the next zero day happens, they are left scrambling to find out if, where and how badly they are affected. Those that have a system to inventory and manage their supply chains are able to begin remediation immediately, avoiding the crisis. – Brian Fox, Sonatype, Inc.

4. Apply A Zero-Trust Strategy

Applying a zero-trust strategy is a useful mitigation when securing software supply chains. This strategy is important because it can be evaluated and inspected through deep compliance and trust handshakes that companies perform with their suppliers. – Yair Kuznitsov, anecdotes

5. Build Triage Plans Based On Vendors’ SBOMs

Software bills of materials, or SBOMs, have gotten a lot of publicity lately, but an SBOM is only the first step in the process. Demanding an SBOM from your software vendors allows you to understand what the constituent components of their products are. But the essential next step is to create processes around the analysis of announced vulnerabilities and a set of triage plans. Build these processes out! – Vincent Berk, Quantum Xchange

6. Keep Up With Patches And Updates

Regularly updating software with security patches and updates is one crucial procedure for establishing a safe software supply chain. To guarantee that the program and its creators can be trusted, it is crucial to properly vet and monitor them in addition to deploying security fixes and upgrades. – Neelima Mangal, Nutcache

7. Leverage MFA And Bring On A Chief Security Officer

The No. 1 thing you can do to ensure a smooth software supply chain is to create a tight security plan. One breach can disrupt months of hard work and lead to frustration for your employees and customers. I recommend using multifactor authentication and hiring a chief security officer to maintain and develop your cybersecurity strategy. – Thomas Griffin, OptinMonster

Readers Also Like:  Senator Elizabeth Warren Probes Google's Quest for Soldiers ... - ProPublica

8. Invest In Education And Development For Engineers

For a decade, security has been a trendy topic. Multiple tools, frameworks and approaches have been developed to contribute to a secure software supply chain. However, despite the advancements, people have remained the weakest component of the chain. Therefore, investment in the education and development of engineers is essential to help grow their awareness about new tools, techniques and threats. – Roman Reznikov, Intellias

9. Do Regular Offline Backups

Make sure you’ve got backups! Cloud computing is great until it isn’t. Review your software service providers every year—especially the ones that provide mission-critical apps, point-of-sale or revenue-generating systems. If there’s risk, implement a way to periodically do a manual, offline backup. – Rhonda Dibachi, HeyScottie.com

10. Make Cybersecurity Checks Part Of Devs’ Workflow

Take DevSecOps seriously. One way is to include cybersecurity work as one of the tasks developers must complete. Whether it’s threat modeling during the design; fixing bugs shown by SAST, DAST and/or SCA tools; or fixing vulnerabilities found through bug bounty programs, cybersecurity issues need to be prioritized and part of the work. This means that if it’s not done, then the work is incomplete. – Christine Bejerasco, WithSecure

11. Implement Secure Coding And Testing Practices

Implementing secure coding and testing practices is an essential step for ensuring a secure software supply chain, as it helps identify and mitigate security vulnerabilities early on in the development process, protecting the entire system from attacks. This is important, as software supply chains can be complex, with multiple partners and third-party components. – David Bitton, DoorLoop

Readers Also Like:  NAPCO Security Tech Tops Q2 EPS by 14c By Investing.com - Investing.com Australia

12. Establish An Inspection Checklist

The best way to know if supply chain security is effective or not is to establish an inspection checklist. The checklist allows everyone to become a “doctor” to ensure a secure software supply chain is established. Here are my eight inspection points to include: access controls, secure storage, encryption, secure transmission, vulnerability management, regular updates, review of a daily performance tracking system and corrective actions. – Chaitra Vedullapalli, Women in Cloud

13. Invest In Secure Collaboration Platforms

A software platform is only as secure as its weakest link. As supply chains become more global, the need to collaborate across different platforms and multiple data sets has grown exponentially. While many companies have adopted secure cloud-based platforms, the most common way of communicating across the supply chain is by emailing spreadsheets. Investing in secure collaboration platforms to eliminate this need is critical. – Richard Lebovitz, LeanDNA

14. Audit, Track And Review Software Components In Progress

With software supply chains being one of the most recent and most impactful areas of security vulnerability, it is critical to ensure that your software build process is secure. The most important things are ensuring that you know which versions of which components are being built and included and have audit, review and tracking to ensure that those components meet expectations. – Michael Adler, N-able

Check out my website



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.