The US president has issued an executive order to improve cyber security, which has ramifications across the software development supply chain.

A major area of concern for IT security teams is how to tackle the challenges posed by the increasing use of third-party platforms and services. The need for security that spans third parties applies across physical supply chains, software supply chains and outsourcing contracts.

In its 2021 UK CEO Outlook report, KPMG found that 81% of leaders considered protecting their partner ecosystem and supply chain just as important as building their own organisation’s cyber defences.

In January 2022, the White House convened government and private sector stakeholders to discuss initiatives to improve the security of open source software and ways new collaboration can drive improvement.

US president Joe Biden has made software security a national priority. His executive order on cyber security requires that only companies that use secure software development lifecycle practices and meet specific federal security guidance will be able to sell to the federal government.

The order also calls on the industry to drive forward the use of software bills of materials (SBOMs), which aim to make it easier for people and organisations purchasing software to understand what components were used to build the products they use.

Discussing the risks inherent in a software supply chain, Mike Gillespie, managing director and co-founder of independent security consultancy Advent IM, says: “We know that third-party breaches have been grabbing headlines for the past few years. Not only does this show no signs of changing but, as we continue to work in remote and hybrid styles, the results of poor technology implementation and poor security risk management potentially place more organisations at risk from each other. And we know only too well how fast links between supply chain partners get exploited these days.”

The latest available data from the UK Information Commissioner’s Office (ICO), looking at the third quarter of 2021, found that 51% of organisations have been breached due to a third party in the past 12 months. The ICO found that three-quarters of these breaches were due to third parties having too much privileged access.

Gillespie recommends that organisations work on becoming more joined up with better information flow for risk management. “Too few risk assessments start with a detailed, well-informed threat assessment, which means that risk treatment is often flawed,” he says.

Open source security pipeline

Modern software development draws heavily on using open source components. These components themselves often pull in other open source libraries, building, as the saying goes, on the shoulders of giants.

In May 2021, Biden issued an executive order to improve the security of software by establishing baseline security standards for the development of software sold to the government, which requires software developers to maintain greater visibility into their software and make security data publicly available.

In the complex world of a software supply chain, the challenge for a chief information security officer (CISO) is not only identifying all the potential open source components that have been used in an enterprise system, but also how to audit the maintainers of these projects, to ensure they have established secure coding practices and will fix vulnerabilities in a timely manner.

Given that freely available open source code can be pulled in from a repository like GitHub and then incorporated into enterprise software, there are no guarantees that the provider of the enterprise software will be able to put pressure on the code’s maintainer to fix any issues that arise.