PwC UK partners with ReversingLabs to bring software supply chain security to third-party risk management

Advisory and professional services giant PwC UK is partnering with security firm ReversingLabs to develop a third-party risk management (TPRM) platform to help businesses address software supply chain security risks. Alongside ReversingLabs, the firm aims to help customers modernize traditional TPRM programs to better suit the modern software supply chain, operationalizing detection and mitigation of threats inherent in third-party software. Software supply chain risks pose complex and ongoing challenges for businesses across the globe.

Alliance targets software visibility, risk remediation, malware attacks

The new alliance combines PwC’s advisory capabilities and executive-managed service expertise in TPRM programs with ReversingLabs’ automated platform to quickly detect and mitigate threats within software, the firms said in a press release. The pair said the partnership will help customers:

• Increase visibility into software: visualize the components that make up the software supply chain and the risk they present to the business.
• Automate software assurance testing: eliminate manual questionnaire-based testing required for software suppliers.
• Protect the software supply chain end-to-end: reduce the likelihood and impact of malware and tampering attacks on the supply chain across the software development and use lifecycles.
• Reduce dependencies on supplier cooperation: obtain security assurance over software consumed using just a binary package (no access to source code is needed).
• Streamline risk remediation: prioritize security remediation efforts to those critical risk issues that most significantly impact a business.

Software supply chain security approaches must evolve

“The way firms must think about their supply chain continues to evolve and it’s clear now that with such a high dependency on software and technology, getting visibility into software security is no longer a nice-to-have activity,” said Penny Flint, partner, PwC UK.

Modern software supply chain security demands that organizations not only address issues specific to the development of software applications, but also to the consumption of commercial software, where suppliers’ reliance on external components like third-party libraries introduces additional risks, said Mario Vuksan, CEO and co-founder, ReversingLabs. “Organizations have never been more reliant on their supplier base than they are today. As a result, automation is needed to help assess the risk of these relationships at speed and scale,” Vuksan said. “At the same time, TPRM teams need solutions to not only manage emerging and existing threats from the supply chain, but other challenges, including regulatory scrutiny, access to talent, and the convergence of various risk domains.”

Software supply chain risks continue to impact businesses

In October 2022, research from software supply chain management company Sonatype revealed that the number of documented supply chain attacks involving malicious third-party components increased by 633% over the previous year, reaching over 88,000 known instances. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies reached unprecedented levels, plaguing two-thirds of open-source libraries, according to the research.

In March, the White House released an ambitious National Cybersecurity Strategy that puts greater responsibility on US software vendors to secure the software ecosystem. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance,” the strategy states. The administration is proposing to shift responsibility onto software makers that fail to take reasonable precautions to secure their products and away from the end users who all too “often bear the consequences of insecure software.”