From software developers, security leaders, users and more, many people have a hand in the cybersecurity of software supply chains. “Software supply chains are complicated,” said Tony Sager, Senior Vice President and Chief Evangelist at the Center for Internet Security.

The good news about software supply chains is that they promote efficiency and organizational scaling, according to Sager. “The bad news is that if there’s a problem, it permeates across a really wide range without even trying. That can cover flaws, inadvertent mistakes, or use of software in unexpected ways, all the way out to and including someone who’s maliciously trying to introduce something into your supply chain.”

Threats to software supply chains

Intentional cyberattacks, insider risk or accidental compromise pose threats to software supply chains. These threats can wreak havoc in many cyber environments, but they are magnified when targeting part of the larger software supply chain.

One of the main challenges of software supply chain security is the nature of software development and construction. “There’s no easy way to separate out the good from the bad,” said Sager. “Software comes from all kinds of places. And software today is not so much written, but composed or compiled.”

Software developers use open-source and other existing code to create programs quickly. While this method increases efficiency, it also has the potential to spread vulnerabilities in code to a wide range of networks. As with the Log4j vulnerability, it can leave organizations scrambling to determine whether a vulnerable piece of code is hidden in their network.

Framing software security in terms of risk

Software Bills of Materials (SBOMs) play a critical role in solving this issue, acting as a sort of “ingredients list” for an organization’s software assets, according to Sager. However, an ingredients list can only go so far in terms of cybersecurity.

When looking at the ingredients on a grocery item, “all those unpronounceable names of ingredients may not mean a lot to the average consumer. So, they tend to look for some fairly straightforward thing, ‘gluten free’ for example, that resonates with them.”

The same should be true in the software environment, according to Sager. “For most consumers, they need a straightforward way to make a decision about risk. Does this come from a software company that has a good track record of fixing problems when they are found? Did they use good development practices? That’s a richer set of data than the ingredients because it also talks to things like quality.”

Making clear the risk aspects of software is critical to shifting software supply chain security from a reactive search for vulnerabilities to a proactive risk decision. “The key is always going be about balancing technical aspects of security with risk decision-making,” said Sager.