Credit: Elnur/Shutterstock Advisory and professional services giant PwC UK is partnering with security firm ReversingLabs to develop a third-party risk management (TPRM) platform to help businesses address software supply chain security risks. Alongside ReversingLabs, the firm aims to help customers modernize traditional TPRM programs to better suit the modern software supply chain, operationalizing detection and mitigation of threats inherent in third-party software. Software supply chain risks pose complex and ongoing challenges for businesses across the globe.Alliance targets software visibility, risk remediation, malware attacksThe new alliance combines PwC’s advisory capabilities and executive-managed service expertise in TPRM programs with ReversingLabs’ automated platform to quickly detect and mitigate threats within software, the firms said in a press release. The pair said the partnership will help customers:Increase visibility into software: visualize the components that make up the software supply chain and the risk they present to the business.Automate software assurance testing: eliminate manual questionnaire-based testing required for software suppliers.Protect the software supply chain end-to-end: reduce the likelihood and impact of malware and tampering attacks on the supply chain across the software development and use lifecycles.Reduce dependencies on supplier cooperation: obtain security assurance over software consumed using just a binary package (no access to source code is needed).Streamline risk remediation: prioritize security remediation efforts to those critical risk issues that most significantly impact a business.Software supply chain security approaches must evolve“The way firms must think about their supply chain continues to evolve and it’s clear now that with such a high dependency on software and technology, getting visibility into software security is no longer a nice-to-have activity,” said Penny Flint, partner, PwC UK. Modern software supply chain security demands that organizations not only address issues specific to the development of software applications, but also to the consumption of commercial software, where suppliers’ reliance on external components like third-party libraries introduces additional risks, said Mario Vuksan, CEO and co-founder, ReversingLabs. “Organizations have never been more reliant on their supplier base than they are today. As a result, automation is needed to help assess the risk of these relationships at speed and scale,” Vuksan said. “At the same time, TPRM teams need solutions to not only manage emerging and existing threats from the supply chain, but other challenges, including regulatory scrutiny, access to talent, and the convergence of various risk domains.” Software supply chain risks continue to impact businessesIn October 2022, research from software supply chain management company Sonatype revealed that the number of documented supply chain attacks involving malicious third-party components increased by 633% over the previous year, reaching over 88,000 known instances. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies reached unprecedented levels, plaguing two-thirds of open-source libraries, according to the research.In March, the White House released an ambitious National Cybersecurity Strategy that puts greater responsibility on US software vendors to secure the software ecosystem. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance,” the strategy states. The administration is proposing to shift responsibility onto software makers that fail to take reasonable precautions to secure their products and away from the end users who all too “often bear the consequences of insecure software.” Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe