Organizations must be willing to ask software vendors hard risk-based questions and be prepared for that to lengthen the purchase process. Credit: SPainter VFX / Getty Images It seems like just yesterday that the mad scramble following the SolarWinds compromise elevated supply chain security to the forefront of every entity, regardless of sector. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), formed the Information and communications technology (ICT) Supply Chain Risk Management task force in an effort to unite public and private entities with the goal of developing an actionable strategy to enhance supply chain security.From the CISO perspective, a recent industry report from Coalfire on Software Supply Chain Risk hit the nail on the head: “Managing risk within software supply chains and product development lifecycles has become as important as protecting traditional, physical inventories and equipment supply lines.” Their survey, conducted with CyberRisk Alliance, highlighted how 52% of managers are concerned about software exposed to attack.The CISA issued guidance on defending against software supply chain attacks and included recommendations for organizations and software vendors to minimize their risks. It touched on six vectors: DesignDevelopment and productionDistributionAcquisition and deploymentMaintenanceDisposal – IT asset disposition (ITAD)SBOMs alone “woefully incomplete” for software-producing companiesReaching out to Dan Cornell, vice president, product strategy at Coalfire we learn, not surprisingly, that one size does not fit all and that different organizations will evaluate and understand their risk in different ways. He explains how traditional security management included service level agreements, measurable outcomes, etc. For software-producing organizations, the use of a software bill of materials (SBOM) and calling it a day is the minimalist approach and woefully incomplete. “Real visibility into the supply chain isn’t provided by a SBOM,” Cornell says. “I would like to see forced transparency to take place going beyond the SBOM but don’t know if the industry has the appetite.”Lack of risk visibility slowing software purchasesHe concludes by saying the buyer has the power prior to the signing of the contract to demand the visibility necessary for the buyer to determine the risk exposure being provided by a vendor’s product. Not surprisingly, as more buyers demand answers to “risk-based questions” as part of the deal flow, there is a decided slowing of the purchase process. The need to address the risk is being assumed by customers, and constipation in deal flow is the end result. Cornell is right. CISOs must be asking risk-based questions and not simply nice-to-know questions that allow for pithy and obtuse answers. If the vendor/provider can’t answer to your satisfaction, move on and find a competitor who is willing and able to do so. For a separate point of view, I reached out to Tim Mackey, principal security strategist at Synopsys, who also noted that the reliance on the SBOM is minimal table stakes and certainly not the panacea many think it may be. “Not all SBOMs are created equally,” says Mackey. He notes how the inexperience of coders carries its own set of risks, and the hard coding of credentials or other secrets into code may have been the right thing for a specific instance, but often that decision is abstracted away and the why and parameters around the instance fade once the code is squished/compiled. A code review might not be the solution as the code may run, but are the configurations that are being exercised by the hard code being simulated?A recommendation carried by Lackey and by Apiiro Vice President Security Research Moshe Zioni, whom I spoke with at Black Hat 2022, is the use of “vaults” for the storage of credentials and other secrets that provide a shorter live window of opportunity of compromise and allow access “to only this process, with only these circumstances and for only this limited period of time.”CISOs no doubt are observing that creating an ecosystem where access is prescribed and limited to the extreme is a heavier lift and thus will have to fight the urge of embracing convenience at the price of creating a more secure supply chain.Additionally, CISOs must be prepared to support the business operations and socialize the need to include in the negotiations the key components of supply chain risk management (SCRM) visibility with every vendor. The power to resist the urge to close the deal and get on to business may be a high hurdle, but one which must be cleared if supply chain security is to be adequately addressed. Related content brandpost Sponsored by Microsoft Security Want to drive more secure GenAI? Try automating your red teaming Automation can enhance an AI red teamer’s existing domain expertise while offloading tedious tasks. Learn more today. By Microsoft Security Apr 29, 2024 5 mins Security news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe