The supply chain is one of the most critical parts of any business, but it's also one of the most vulnerable. Whether you're an enterprise or a manufacturer of devices or components, the best way to protect your business is to know what code is being used, where it came from, and the risks associated with it. Unfortunately, this is more easily said than done in most cases, especially when you consider firmware is just another form of software.
Given the increasing volume of firmware-related attacks, the lack of visibility into firmware makes it a critical security gap for many organizations. Whether you realize it or not, your non-traditional XIoT devices are a large attack surface for your organization and unfortunately, these devices are also the most difficult ones to understand in terms of code, configurations, and vulnerabilities. This post will act as a guide for best practices in software and firmware supply chain security, as well as an introduction to the NetRise platform and how it provides everything you need to understand the risk present in your non-traditional devices.
Define Your Software Supply Chain
In order to evaluate the security and risk of your software supply chain, it's critical to define your software supply chain. The following are some components that can help:
- Software supply chain stakeholders — These include vendors, developers, and other third parties.
- Software supply chain components — This includes code modules, documents, and other artifacts produced during development (e.g., source code).
- Software supply chain processes — The process used by developers to create their software products (e.g., coding standards, delivery, and build tools).
Generate an SBOM for Everything
A Software Bill of Materials (SBOM) is a list of all the software components used in your application, including their version numbers. SBOMs are important because they give you a complete view of the software you are using and how it integrates with other pieces of code and third-party products. This allows you to:
- Understand all dependencies so that you can make informed decisions about what to use and how it fits into the big picture
- Easily determine if the software is vulnerable or has known security vulnerabilities
- Reduce risk by being able to identify and fix bugs faster and replace software packages
- Create security controls to mitigate accepted risk
The two most popular SBOM formats are CycloneDX and SPDX. Both formats have their strengths and weaknesses, but at a high level, CycloneDX is a simple format that can be easily understood by humans and machines whereas SPDX is a format that can be easily understood by machines, but may be difficult for humans to understand. The NetRise platform can generate both formats quickly, on demand, and with more extensive coverage and detection of dependencies than our competitors.
Understand the Specific Threats to Your Organization
In order to understand how to mitigate the risks associated with the software supply chain, it is first important to gain an understanding of the specific threats to your organization and industry.
- Understand the specific threats to your organization: This may include attacks from specific threat actor groups or malicious insiders which have historically targeted organizations similar to your own.
- Understand the specific threats to the software supply chain: This can include hackers who obtain access through vulnerabilities in software or other cyber-attacks on suppliers' distribution systems. It may also include acts of sabotage by competitors or even disgruntled employees within a supplier's own operations.
- Understand the specific threats to the software supply chain in your country: Some countries have higher prevalence rates for certain types of attacks than others. Ensure that you are aware of any local trends so you can take necessary precautions when engaging suppliers.
NetRise can help with prioritization by providing information related to the threat actors utilizing specific vulnerabilities present in your software, whether exploits are weaponized and publicly available or not, links to those vulnerabilities to provide you with threat intelligence for building Indicators of Compromise, and many more data points.
Conduct Periodic Audits of Your Software Supply Chain
The software supply chain is an important element in how companies keep their data secure. It's also one of the most complex areas to manage, so it's important to have a solid plan in place to ensure your company's information remains safe while you build and test new products.
The first thing you should do before anything else is conduct audits. Audits can be performed by an internal team or by an external third party, but they should be conducted regularly and outside of any other audit processes that already exist within your organization (such as security or quality assurance). These audits should evaluate:
- The quality of code being delivered from each vendor
- The effectiveness of vendors' compliance programs
- Your company's ability to track all software on all devices, including XIoT devices
NetRise can help with both implementation and guidance of how to improve your organization’s security posture. Contact us today to get started or learn more.
SHARE