How to Make Product Security Easier Across the Software Supply Chain

When organizations choose software, security is the main consideration that drives their decision, according to research published by the Linux Foundation. License compliance is a close runner-up. Both outrank other important drivers such as cost, time-to-market, and performance.

Today, product security and risk management experts need tools that can see inside the opacity of the proprietary and open-source code they inherit from their software supply chains. Increasingly, they’re looking to SBOMs (Software Bills of Materials) to support the key controls in their software development lifecycle.

"By 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice," says Gartner® in its 2022 Innovation Insight for SBOMs Report. That's up from under 20% today.

While manufacturers have looked to DevOps processes and other solutions to tackle the problem, these solutions haven’t been scalable. This reality is slowing down development and product launches. The market needs a scalable solution that effectively and efficiently scans connected devices for vulnerabilities—and one that can be deployed quickly.  

Facing opaque software supply chains

When PwC asked more than 1,600 tech and security executives how well they understand the cyber risks coming from their third parties and supply chain, one in four admitted having little to no understanding.

The 40% of tech CEOs who said they thoroughly understand these risks were 11x more likely to also report significant progress toward optimal cybersecurity outcomes, including cyber risk management, says PwC.

Knowledge is power when it comes to protecting your ecosystems. However, when faced with the ever-evolving universe of connected devices and embedded systems in their products and the products they procure from upstream supply chain partners, CEOs and their organizations need tools to cut through the opacity of open-source and proprietary code and the binaries they encounter.

In the dynamic world of connected-device security, organizations are suddenly scrambling to design and stand up their respective product security maturity models, as they create and implement tools, practices, and standards to discover vulnerabilities and weaknesses in their connected products and embedded systems.

To see inside the black boxes of their connected devices, many organizations are turning to the SBOM, a tool whose relevance has already arrived even as regulatory institutions begin to consider how to require its use. 

However, seven of every ten organizations cannot even easily generate an SBOM, according to Ponemon Institute research.

Confronted with this challenge, how can organizations integrate SBOMs into their software development lifecycles? How will SBOMs influence the future of product security and software supply chain relationships?

How SBOMs help find vulnerabilities

In its 2022 Innovation Insight for SBOMs report, Gartner looks at how "software bills of materials improve the visibility, transparency, security and integrity of proprietary and open-source code in software supply chains."

"To realize these benefits, software engineering leaders should integrate SBOMs throughout the software delivery life cycle," Gartner says. 

Indeed, Software Bills of Material can provide insight and transparency into how organizations can protect themselves and their cyber ecosystems from escalating cyberattacks, and SBOMs generally show an inventory of components that make up your application and can help product security, risk management, and compliance experts approach new and emerging regulations.  

SBOMs can be your organization’s first meaningful step toward discovering vulnerabilities and weaknesses within your products and the devices you procure from your software supply chain.

Next steps: Integrate SBOMs into your security posture

With the Finite State Platform, you can find out instantly if (and where) you face vulnerabilities in your embedded devices, then remediate them fast with expert guidance. Finite State gives device manufacturers and software supply chain risk managers a deep view into all device hardware and software components – even if you have no access to the source code. 

Contact us today at https://finitestate.io/contact/ and we can help you quickly analyze your binaries and navigate that next step toward adopting the SBOM as a tool that will help scale and automate your product security across the software supply chain lifecycle.

Gartner, Innovation Insight for SBOMs, By Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.