Security Bloggers Network 
SBN

Protecting the U.S. from Software Supply Chain Attacks (Part 2)

Avatar photo by Jacqueline von Ogden on April 19, 2022
Protecting the U.S. from Software Supply Chain Attacks (Part 2)

In our last article, we made the argument that it’s time to stop placing all the onus for protecting against supply chain attacks on buyers.

Even the biggest buyers—government agencies, critical infrastructure providers, and so on—simply don’t have the time or resources to vet every one of their suppliers’ security thoroughly.

Instead, it’s time to regulate technology vendors.

So far, we’ve laid out three proposed requirements for them:

  1. Follow an agreed framework for Supply Chain Risk Management (SCRM)
  2. Focus on baseline integrity
  3. Establish closed-loop change control

Now it’s time to discuss our fourth—and arguably most important—proposed requirement for technology vendors.

Requirement #4: Adopt Resiliency-Focused Security Operations

Most organizations model security operations using a perimeter defense and recovery model. Simply, they aim to fortify their perimeter with security technologies and then invest heavily in recovery when a breach occurs. As EO 14028 explains, this model is outdated for two reasons:

  1. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cimcor Blog authored by Jacqueline von Ogden. Read the original post at: https://www.cimcor.com/blog/protecting-the-u.s.-from-software-supply-chain-attacks-part-2

Jacqueline von Ogden