Three Steps Toward Better Software Supply Chain Security

"Software supply chain attacks have seen triple-digit increases, but few organizations have taken steps to evaluate the risks of these complex attacks," Gartner® states in its latest report on software supply chain risks.

You don't have to be one of the country's leading technology research and consulting firms to notice the dramatic increase in the quantity, complexity, and severity of the software supply chain attacks that plague organizations and their consumers worldwide. 

While development teams have raced to stand up solutions-both at the tactical and strategic levels-this progress hasn't advanced at the speed with which attacks have evolved. 

Organizations today are still prone to software supply chain attacks and increasingly so.  

Security By Design

"Almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023," the report from Gartner® continues. 

As security teams consider the strategies most likely to protect their software supply chains from this rising threat of cyber attacks, they have increasingly looked toward strategies such as security by design, which embeds security across each phase of the software development life cycle.

But how does security-by-design work in practice, when code compiled into binaries and software components comes into play? Visibility often ends with the source code you have, which doesn't extend to all the risks lurking within a modern connected device ecosystem.  

How does an organization, establishing a commitment to security-by-design, get continuous visibility into complied code and software components? 

Security-by-design does not come easily. Research from EY in a recent Global Information Security Survey pointed out that 31% -- representing less than a third of companies surveyed -- said that cybersecurity teams take part in new business initiatives "right from the start." 

How SBOM and Binary Analysis Fit into a Secure by Design Strategy

In the framework of a secure-by-design strategy, tools like Software Bill of Materials (SBOM) and binary analysis are essential components that add layers of transparency and scrutiny, enhancing security throughout the software development lifecycle.

Software Bill of Materials (SBOM)

An SBOM is essentially a detailed inventory that lists all the components, including libraries and packages, that make up software applications. This inventory serves several critical functions:

1. 
   Transparency: SBOMs provide complete visibility into the software components used within an application. This transparency is crucial for assessing risk, managing vulnerabilities, and ensuring compliance with security standards and regulations.
   
2. 
   Vulnerability Management: By identifying all the components, an SBOM allows organizations to quickly detect known vulnerabilities within those components. Automated tools can cross-reference components listed in an SBOM with vulnerability databases to alert developers and security teams about potential risks.
   
3. 
   Supply Chain Security: SBOMs help track the origin and integrity of every component, which is particularly important in managing the security of third-party software and open-source libraries. This is a key part of securing the software supply chain—a major focus of secure-by-design approaches.
   

Transparency: SBOMs provide complete visibility into the software components used within an application. This transparency is crucial for assessing risk, managing vulnerabilities, and ensuring compliance with security standards and regulations.

Vulnerability Management: By identifying all the components, an SBOM allows organizations to quickly detect known vulnerabilities within those components. Automated tools can cross-reference components listed in an SBOM with vulnerability databases to alert developers and security teams about potential risks.

Supply Chain Security: SBOMs help track the origin and integrity of every component, which is particularly important in managing the security of third-party software and open-source libraries. This is a key part of securing the software supply chain—a major focus of secure-by-design approaches.

Binary Analysis

Binary analysis involves examining the compiled or executable version of software without access to its source code. This is particularly useful in several aspects of a secure-by-design strategy:

1. 
   Security Verification: Binary analysis can identify security flaws, such as buffer overflows, that might not be detectable through source code analysis alone. This is crucial for validating the security of third-party components for which source code is not available.
   
2. 
   Compliance and Risk Assessment: It helps ensure that the binary files comply with the security policies and practices that an organization has set. This analysis can also assess the risk level of binaries by identifying potentially malicious code or behaviors embedded within them.
   
3. 
   Integrity Checks: Binary analysis can verify that the binary files have not been tampered with and are in their expected state, ensuring that they match the documented and approved versions listed in the SBOM.
   

Security Verification: Binary analysis can identify security flaws, such as buffer overflows, that might not be detectable through source code analysis alone. This is crucial for validating the security of third-party components for which source code is not available.

Compliance and Risk Assessment: It helps ensure that the binary files comply with the security policies and practices that an organization has set. This analysis can also assess the risk level of binaries by identifying potentially malicious code or behaviors embedded within them.

Integrity Checks: Binary analysis can verify that the binary files have not been tampered with and are in their expected state, ensuring that they match the documented and approved versions listed in the SBOM.

Integrating SBOM and Binary Analysis in Secure-by-Design

Both SBOM and binary analysis fit naturally into the secure-by-design philosophy by enabling proactive security practices:

• 
  Early and Continuous Integration: Integrating SBOM generation and binary analysis tools into the CI/CD pipeline ensures that every release is transparent and secure from the earliest stages of development. Continuous analysis helps detect and mitigate risks as they arise, rather than retroactively.
  
• 
  Cross-functional Collaboration: These tools facilitate better communication and collaboration between developers, security teams, and operations. For instance, developers can use information from SBOMs to make informed decisions about component usage, while security teams can use binary analysis results to enforce security standards.
  
• 
  Automated Security Practices: Automation of SBOM and binary analysis can scale the security efforts without adding significant manual overhead, making it easier to maintain security standards even as the complexity of software projects increases.
  

Early and Continuous Integration: Integrating SBOM generation and binary analysis tools into the CI/CD pipeline ensures that every release is transparent and secure from the earliest stages of development. Continuous analysis helps detect and mitigate risks as they arise, rather than retroactively.

Cross-functional Collaboration: These tools facilitate better communication and collaboration between developers, security teams, and operations. For instance, developers can use information from SBOMs to make informed decisions about component usage, while security teams can use binary analysis results to enforce security standards.

Automated Security Practices: Automation of SBOM and binary analysis can scale the security efforts without adding significant manual overhead, making it easier to maintain security standards even as the complexity of software projects increases.

By incorporating these tools, organizations can uphold the principles of secure-by-design by maintaining transparency, integrity, and security throughout the software lifecycle, ultimately reducing the risk and impact of security vulnerabilities.

Security By Design - A Good Start, But You'll Need More 

The needs of software supply chain security extend beyond the principles of security by design due to the complexity and interconnected nature of modern software development. Security by design focuses on integrating security measures from the outset of software development. However, software supply chain security must address additional concerns such as the integrity of third-party components, compliance with regulatory standards, and the management of ongoing threats that can emerge long after the initial design phase.

This broader scope involves ensuring that every link in the supply chain—from the initial code to the final product delivery—is secure against tampering, unauthorized access, and unintended code dependencies that could introduce vulnerabilities. It also encompasses the need for continuous monitoring and updating of software components to protect against newly discovered vulnerabilities and exploits, ensuring resilience and trust throughout the lifecycle of the software product.

While security by design is a critical foundation, comprehensive software supply chain security demands vigilance at every stage of the software's environment and lifecycle.

How to Mitigate Enterprise Software Supply Chain Security Risks

As risk management and security professionals ready themselves for the grim reality that, "[b]y 2026, at least 60% of organizations procuring mission-critical software solutions will mandate software bill of materials (SBOM) disclosures in their license and support agreements," they will look for actionable advice to help them safeguard their organizations from software supply chain attacks and help make sure that they stay in compliance with increasingly rigid regulatory and compliance requirements.