8 Best Practices in Cyber Supply Chain Risk Management to Stay Safe

In this blog post, we’ll discuss how every business faces four different types of threats to their software supply chains. Use these 8 best practices in cyber supply chain risk management to help keep your business secure.

 

The Four Types of Threats Your Software Supply Chain Faces

There are many various supply chain cyber risks software-based businesses face today that can be categorized into four primary types: 1) cyber threats, 2) compliance, 3) financial impact, and 4) reputational. For each of these, we will provide preventative best practices later in the article, but for now, let’s dive into each threat type and examine them more closely.

 

#1 Cyber Threats

Most cybersecurity professionals would agree that security breaches are a question of “when” and not “if” they will occur. Breaches can come from multiple vectors due to a wide variety of vulnerabilities in the software supply chain. Moreover, once threat actors are in, they very often move laterally throughout an organization. We have seen this happen in three highly publicized software supply chain cyber attacks – SolarWinds, Log4J, and Codecov.

SolarWinds attackers inserted malicious code (SUNSPOT) using temporary file replacement techniques to attack software supply chain pipelines and development tools compromising the CI/CD infrastructure.

Log4J, the zero-day software supply chain vulnerability, allowed attackers to leverage remote code execution using logging dependencies, again compromising the CI/CD infrastructure.

Codecov showed that attackers could modify source code to infect, tamper, and reveal customer secrets using modified scripts leveraging compromised artifacts.

For a deeper dive into these three underlying risks, check out The 3 Riskiest Software Supply Chain Attack Patterns Common Across Frameworks. It’s also worth mentioning that there are many more software supply chain attacks than the three listed here. Legit Security is actively contributing to the open-source community, which is core to our mission to help protect software supply chains from attack.

 

#2 Compliance

With the implementation of FedRAMP, President Joe Biden’s Executive Order 14028, NIST’s recently revised security guidance, along with many other emerging regulations proves that software supply chain security compliance is another major issue that must be addressed.

Compliance with security protocols and legal regulations like FedRAMP and SOC2 is not just mandatory for your internal organization – it very often also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties. Supplier non-compliance can lead to violations that you can also be implicated in, and a breach of compliance or violation can lead to penalties or fines for all parties, depending on the context of the violation.

 

#3 Financial Impact

Cyber threats to your supply chain do not just present a potential financial loss to your organization but can also deal a financial blow to your customers. Security vulnerabilities don’t just present operational and business disruption risks, they can also have long-lasting financial impacts on your business. This financial risk can vary greatly and range from small operational costs and inefficiencies to financial ruin for businesses.

Financial risks can manifest as real consequences in a couple of ways. Cyber attacks can result in a longer term business continuity crisis that prevents you from servicing your direct customers. Long term business disruptions can also greatly affect your suppliers and contractors, leading them to seek business elsewhere, go bankrupt, or otherwise leave you high and dry. Suppliers and contractors can also encounter their own software supply chain issues which can hamper your ability to continue to operate properly.

Software supply chain security risk management techniques can be used to minimize the negative financial impacts to your business. Organizations that follow software supply chain best security practices and leverage advice for securing their code and data for business continuity are more adept at mitigating direct and indirect financial impacts.

 

#4 Reputational

Reputational threats are the most unpredictable type of risk posed to your business in terms of supply chain cyber security, in part because the concept of brand or reputation is ephemeral and more difficult to control and measure. Additionally, reputations can also become intertwined with other entities, such as when an organization chooses to work with suppliers that are themselves vulnerable to third-party software security risks. In this regard, damage to your suppliers’ reputation can convey the same reputational damage to your organization. 

SolarWinds and Codecov are useful examples of reputational risk, where a vendor or supplier was compromised resulting in widespread downstream damage and corresponding reputational risk to their customers. Ultimately, your reputation relies on a few factors:

• Your actions
• Your track record
• Your suppliers’ reputations

Suppliers’ reputations are critical to evaluate when initially onboarding providers and considering new suppliers. Keep in mind that vendor/supplier software is not just the proprietary code the vendors create, but also the assortment of open-source tools and libraries they use when developing the software. With the widespread use of open-source tools and libraries, there are various weak spots in the SDLC that the open-source community hasn’t addressed yet, which means your suppliers need to enact their own adequate security controls for their usage. 

 

8 Best Practices in Cyber Supply Chain Risk Management to Keep Your Business Safe

In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using their framework for cyber supply chain risk management or C-SCRM.

The 8 NIST supply chain best practices are:

• Deploy Organization-Wide C-SCRM
• Create a Formal C-SCRM Program
• Monitor Your Critical Components & Suppliers
• Get to Know Your Supply Chain
• Focus on Collaboration with Key Suppliers
• Make Suppliers Part of Resilience & Improvement Initiatives
• Continually Assess/Monitor Supplier Relationships
• Anticipate and Respond to Interruptions

Let’s dive into each best practice to manage the four major supply chain threats – Cyber Threats, Compliance, Financial Impact, and Reputational Risk.

 

Best Practice #1 – Deploy Organization-Wide C-SCRM

The first step in supply chain risk management is to deploy a framework and plan for your organization. Cyber Supply Chain Risk Management or C-SCRM is a multidisciplinary approach to managing cyber threats to your software supply chain. Established in 2021, NIST supply chain best practices provide companies, government agencies, and other organizations with a means to manage growing supply chain risks and protect them from threats. Deploying organization-wide C-SCRM is the first best practice on our list because it is an essential management framework that helps facilitate and encourages a more collaborative approach to the software or product development process.

 

Best Practice #2 – Create a Formal C-SCRM Program

A formal C-SCRM program helps establish governance and ensures accountability when identifying, assessing, and mitigating risks to the software supply chain. Creating a robust program should establish governance policies along with processes and procedures.

Key elements to be included in a C-SCRM program include who is responsible for enforcing governance, which tools are permissible, the policies or procedures applied to the development lifecycle, and the internal processes for managing potential risk. Organizations should approach the deployment of a C-SCRM program with a zero-trust mindset, anticipating and assuming that the code and application development process can not be trusted by default and instead assuming it has already been breached.

 

Best Practice #3 – Monitor Your Critical Components & Suppliers

Oversight of your supply chain cyber threats through proper, ongoing, monitoring of critical components and suppliers helps secure the entire supply chain. Continuous monitoring is often critical for mission-imperative functions, since if a breach or breakdown were to occur it would severely disrupt operations.

The identification of assets, systems, processes, suppliers, and data is critical in order to smoothly function 24x7x365. Software supply chain critical management assets such as these should be monitored:

• CI/CD pipelines
• Repositories and their connections
• Developer access to systems
• Policies and compliance adherence (and violations)
• Tool configuration and integrations

Automated SDLC inventory discovery; risk protection and remediation; and continuous scoring and compliance monitoring are all important features that software supply chain security companies like Legit Security have built into their platforms. Using platforms like these can help organizations monitor their critical components and suppliers as recommended by NIST for third-party risk management.

 

Best Practice #4 – Get to Know Your Supply Chain

Visibility into your software supply chain is crucial – especially the visibility and analysis of dependencies within your software supply chain. Threat actors leverage dependency vulnerabilities to gain access to the entire pipeline and compromise the integrity of the application or code. Dependencies and suppliers play a critical role in development, so it is important to understand who they are and their security posture to safeguard your own mission-critical components.

Organizations can manage software supply chain dependency vulnerabilities by:

• Only working with reputable suppliers that have best practices in place to help manage risks
• Requiring suppliers to include accurate defect rate tracking
• Requiring suppliers to include root cause analysis methodology

Should a supplier encounter a breach, the impact on your business could be substantial. Therefore, whenever possible, have backup suppliers available to help minimize disruptions to your operations.

 

Best Practice #5 – Focus on Collaboration with Key Suppliers

Collaboration with suppliers is key and should be prioritized by organizations focused on software supply chain risk management. Forming a collaborative relationship with key suppliers can facilitate communication and information sharing by creating shared ecosystems. While collaboration may not always be easy, having shared resources with those key suppliers may be the difference between catching a vulnerability early and before it becomes a problem, or finding out too late where significant damage has already been done.

People, process, and technology are at the heart of effective management and can enhance supply chain performance with proper communication, making it more secure and efficient. Effective collaboration can not only illuminate issues but highlight visibility gaps that help combat cyber threats to your supply chain.

 

Best Practice #6 – Make Suppliers Part of Resilience & Improvement Initiatives

Organizations face cyber threats not just from their internal suppliers and collaborators. A broad range of external cybercriminals increasingly target businesses through their supply chain as an easier way to find weak points (e.g., SolarWinds, Kaseya, and Codecov). To help combat threats, regulations such as FedRAMP and NIST, now specifically include new software supply chain security requirements to address these weak points.

“FedRAMP’s focus in 2022 on supply chain requirements have significantly increased through the publication of the new supply chain risk management (SR) control family in NIST 800-53 revision 5.”
(Coalfire)

Businesses of all sizes can have a security incident, which is why resiliency planning is an essential component to maintaining a healthy security posture. Including critical suppliers in your organization’s incident response or disaster recovery plan helps enhance resilience against broader industry ecosystem risks. Additionally, testing resiliency plans with critical suppliers and key stakeholders is essential to become better prepared when a real-life threat arises.

 

Best Practice #7 – Continually Assess/Monitor Supplier Relationships

Initial assessments of your suppliers and supply chain are only accurate for a brief period. Over time, these snapshots become obsolete as the software supply chain environment evolves. Organizations should seek automated solutions to continuously identify risks and vulnerabilities in their supply chain as they are continuously changing and evolving.

Monitoring supplier relationships is essential part of establishing a successful and ongoing supplier program. Organizations can minimize third-party software security risks with just a few monitoring best practices including:

• Looking for or identifying any changes in supplier status
• Validating that suppliers are meeting all legally binding requirements
• Regularly re-evaluating supplier adherence to supply chain security best practices
• Mitigating the potential risks identified
• Instituting action plans to remediate those risks (as needed)

Best Practice #8 – Anticipating and Responding to Interruptions

While no one can predict when an incident will occur, planning for unexpected interruptions is a must for all businesses in today’s cyber environment. Just a few examples of interruptions that businesses commonly face include ceased support for obsolete software, a change of supplier due to acquisition, and downstream supplier changes affecting your own supply chain production.

Cyber security supply chain threats are pervasive and ever-growing. Effective supply chain risk management requires taking a proactive approach and establishing preventative action plans to respond to interruptions and prevent severe or critical business failures.

 

Take a Proactive Approach to Cyber Supply Chain Security to Keep Your Business Safe

Taking a proactive approach allows every business to mitigate the four main types of cyber threats to software supply chains. Using these NIST supply chain best practices, organizations can help mitigate continued risk in an ever-growing threat landscape.

 

 

What we have learned from recent incidents like SolarWinds, Log4J, and Codecov is that software supply chain attacks are pervasive and will continue to grow with increasing complexity, exacerbating the need for more robust and automated solutions that analyzes the entire CI/CD or software supply chain for risks and vulnerabilities.

Legit Security helps secure software supply chains and continuously monitors drift from regulatory frameworks like NIST, FedRAMP, and more. To learn more about how the Legit Security Platform was built to help application security teams keep up with fast-moving development teams at scale, schedule a product demo or learn more about our platform.

*** This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Justin Bahr. Read the original post at: https://www.legitsecurity.com/blog/8-best-practices-in-cyber-supply-chain-risk-management-to-stay-safe