8 Tough Questions to Ask When Securing Your Software Supply Chain

by Joanne Godfrey on June 16, 2021

Software supply chain breaches are headline news right now, and they’ve even been given an honorable or, more accurately, a dishonorable mention in the White House’s recent Executive Order on cybersecurity. But the software supply chain is not new. In fact, it’s been around since the mid-’80s, and so has the risk.

The software supply chain contains all the software components needed to create and deliver a fully functional software product. The supply chain can include proprietary code/binaries, open source (OS) libraries, third-party custom-built code and white-labeled products.

In reality, this means pretty much every single modern application in active use today contains at least some third-party code, especially open source code. In fact, according to recent research, 98% of codebases today contain OS code[1], and on average there are 38 known OS-related vulnerabilities per application.[2] Synopsys estimates there are 158 per code base on average[3] while 60% of codebases contain high-risk vulnerabilities in OS code[4], and the average vulnerability in OS code is 2.2 years old.[5]

You’re only as secure as your weakest link!

This means that everyone is a risk – companies developing their own software for internal or external use, software vendors selling code or apps to other companies to incorporate into their products, and of course, the end-users using the software. And with the explosion of digital innovation in this post-COVID-19 world, coupled with rampant breaches affecting users in their everyday lives, there’s no longer any tolerance by customers and consumers for lax security in software products.

Sponsorships Available

Executives, BoDs, security and engineering leaders, ask yourselves… Can you afford the remediation, legal, compliance costs and reputational damage of a breach? By the way, the average cost of a data breach in the US is $8.64M.[6] Can you afford to lose business because you can’t prove your software is secure?

An ounce of prevention is worth a pound of cure

Those are rhetorical questions, of course. And the answers to those questions lie in having AppSec risk visibility and shifting left, which means beginning testing for and remediating application security vulnerabilities early in the software development life cycle (SDLC). It’s also a fiscally responsible strategy: addressing application security earlier rather than later is far cheaper and easier. In fact, it is 100x cheaper to fix an issue in development versus once it’s deployed in production.[7]

Do you have what it takes to stand up an AppSec program, fast? Can you afford not to?

Some companies, attempting to address their AppSec problem, are buying an AppSec tool and scanning selected applications on an ad hoc basis. They may add more tools periodically, and maybe, eventually, three years down the line, they’ll have a bunch of tools in place that are scanning bits and pieces of code, at various stages of the development process. But this “approach” is missing the critical ingredients: the processes and workflows that turn these tools into an end-to-end program that will enable the company to develop and deliver secure software into production and give them the necessary visibility of their AppSec risk posture.

With application vulnerabilities piling up and the rate of breaches escalating, organizations need a programmatic way to do all this and fast. So, ask yourself these 8 questions:

Do you have the time and resources to set up an AppSec program that will span the full SDLC and enable you to consistently scan all software components?
Do you have the necessary AppSec expertise in-house?
Do you know what AppSec tools you’ll really need?
Are you sure you can maintain development velocity while securing the SDLC?
Do your developers know how to invoke, manage and maintain AppSec tools within the DevOps pipelines?
Are you able to makes sense of all the AppSec data generated?
Do you know which vulnerabilities should be prioritized for remediation?
Can you prove to your customers and partners that you have an effective AppSec program?

Seeing AND believing: Bluescape

For a viable AppSec program that helps you deliver more secure software, you need the right tools, processes and workflows to test all your code for vulnerabilities, aggregate and streamline the tools’ findings, and create a closed-loop process for remediating critical vulnerabilities– all during the SDLC. An effective AppSec program should also provide visibility and reports, so you can assess AppSec risk and its impact on the business at any time—as well as prove the existence and effectiveness of your program to your customers, partners, and leadership.

Bluescape, an enterprise-scale visual collaboration SaaS platform used by major motion picture studios, manufacturers and learning institutions, is using the ZeroNorth DevSecOps Quick Start to do just that.

With ZeroNorth Bluescape has been able to

Expand the depth and breadth of scanning coverage with ready-to-run open source scanning tools integrated with ZeroNorth
Streamline AppSec scanning data, making it easily consumable and usable for security and developer staff
Gain accurate, consistent visibility into the AppSec posture and risk
Showcase Bluescape’s AppSec program to its customers

And Bluescape has done this with considerable cost savings! According to Mark Willis, Bluescape’s CISO, “Without ZeroNorth, it would be very expensive to try and orchestrate all of the types of scans and metrics that ZeroNorth delivers. ZeroNorth provides the results of three to four FTEs at five percent of the cost.” You can read the full Bluescape case study here, and check out the new demo of ZeroNorth DevSecOps Quick Start here: