Lisa Morgan, Freelance WriterMarch 6, 20255 Min Readnipiphon na chiangmai via Alamy StockSoftware supply chains are under attack, and the fallout affects all kinds of organizations. Breaches such as SolarWinds and MOVEit serve as a wake-up call, underscoring the need for better visibility and protection.The reality of software development today is that were all building layers over layers that we, as tech professionals, dont fully grasp, says Adam Ennamli, chief risk and security officer at General Bank of Canada. Virtually every application nowadays is a complex patchwork of third-party components. Its inevitable if you want to maintain competitive time-to-market metrics. The problem is that while this accelerates your lifecycle, it also means youre inheriting, and therefore taking, unknown risks.Some teams learn about software supply chain risks the hard way when suddenly the critical open-source components they rely on suddenly become unmaintained or critically vulnerable. Another factor is that some open-source projects are being intentionally poisoned. Similarly, erroneous and misleading content is being added to the internet with LLMs that use that data as a target.You can't treat supply chain security as just another checkbox on your security assessment as it touches the very fabric of your products reliability, and therefore, the trust of your customers, says Ennamli. You need visibility into what code is running in your environment, who maintains it, and how it's being updated. This isnt just about scanning packages anymore; its about understanding the entire ecosystem your applications depend on.Related:Visibility into data streams tends to be a major challenge CIOs and CISOs face.Understanding all third-party suppliers, resources, and software components can be a major hurdle as organization's environments are ever changing and expanding, says Jeremy Ventura, Field CISO at global systems integrator Myriad360. With this comes a data issue. Who has access to my data? What type of data do I own? Where is my data being sent and received? When is my data being accessed? [These questions] are all examples of what technology leaders should be asking themselves every day.Supply Chain Risk Is a Team SportDevelopers cant manage risks on their own, nor can CISOs.Effectively protecting, defending and responding to supply chain events should be a combination among many departments [including] security, IT, legal, development, product, etc., saysVentura. Not one department should fully own the entire supply chain program as it touches many business units within an organization. Spearheading the program typically falls under the CISO or the security team as cybersecurity risks should be considered business risks.Related:One of the most common mistakes is having a false sense of security.Thinking with the mindset of, If I haven't had a supply chain issue before, why fix it now? leads to complacency and a lack of taking cybersecurity serious throughout the business, says Ventura. Another common mistake is organizations relying too heavily on vendor-assessments, where an organization can say they are secure, but haven't put in robust controls. Trusting an assessment completely without verification can lead to major issues down the road.By failing to focus on supply chain risks, organizations put themselves at a high risk of a data breach, financial loss, regulatory and compliance fines and business and reputational damage. According to Ventura, a healthcare organization recently suffered a data breach due when one of its suppliers was attacked, which caused lost patient data, ultimately leading to compliance and regulatory penalties.My best advice is to focus on visibility into data -- your organizations data, customers data, and third parties who may have access to your data, says Ventura. Invest in solutions that provide a comprehensive software bill of materials (SBOMs) for auditing purposes and continuously run risk assessments against your software supply chain vendors. Lastly, ensure that security is a shared responsibility between multiple departments internally.Related:General Bank of Canadas Ennamli says effective supply chain management requires four things:Frequent communication between dev teams who understand the technical intricacies, security teams who can assess and understand risks, and business leaders who can weigh the tradeoffs between speed and safety,Automated or semi-automated tools for visibility,More education and experimentation around concepts such as SBOMs, andA culture where developers feel empowered to raise concerns about suspicious packages while understanding the business pressure to move quickly.All of these components need to move together, in balance and harmony, or you'll either end up moving too slowly and frustrating your developers or moving too fast and exposing yourself to loss of trust, says Ennamli.Joseph Leung, CTO and chief product officer at JAVLIN Invest says vulnerabilities within a third-party software library are inherently difficult to track as products scale and age in the market.We automate dependency tracking with tools such as OWASP Dependency-Check, but it cannot be relied on by itself. In my experience, the best ROI for managing threats is to make security a part of everyone's role, says Leung. Creating policies for vetting libraries and performing regular security reviews into the dev pipeline are two easy processes that instill a security-focused culture into my teams. In short, its all about creating maximum visibility across all members within your product teams."The root cause of the problem is that organizations lack insights into third-party components used across their applications.The rapid pace of vulnerability disclosures can overwhelm teams, says Leung. Resource allocation, legacy systems, and lack of executive buy-in can further complicate security efforts.Adam Martin, director of IT and operations at full-service architecture and engineering firm American Structurepoint, says cross-functional collaboration is critical.IT and development teams must actively scan and update systems, while legal and procurement should vet vendors' security practices, says Martin. It is important that executive leadership aligns with the need to prioritize software supply chain security."Bottom LineOrganizations need to do a better job of understanding whats included in their applications. Without that sort of visibility, all sorts of bad outcomes may follow, not the least of which is potential liability. SBOMs and software composition analysis solutions help. So does fine-tuning internal processes and creating a collaborative culture that prioritizes software and dependency visibility.About the AuthorLisa MorganFreelance WriterLisa Morgan is a freelance writer who covers business and IT strategy and emergingtechnology for InformationWeek. She has contributed articles, reports, and other types of content to many technology, business, and mainstream publications and sites including tech pubs, The Washington Post and The Economist Intelligence Unit. Frequent areas of coverage include AI, analytics, cloud, cybersecurity, mobility, software development, and emerging cultural issues affecting the C-suite.See more from Lisa MorganWebinarsMore WebinarsReportsMore ReportsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also Like