More than four years ago, the massive SolarWinds breach pushed software supply chains to the forefront of security concerns. The attack affected over 18,000 customers who were made victims through third-party security negligence – not their own. In fact, the attack was propagated by diligent customers installing recommended patches from a trusted IT infrastructure vendor.

One year later, it was déjà vu all over again, as the Log4j crisis erupted. In this case, an under-the-radar but widely used library compromised millions of devices and thousands of organizations. This highlighted the fact that many software developers have little visibility or control over third-party code and libraries that make up the bulk of our software stacks.

With more focus on software supply chain security, we’ve begun to improve visibility and accountability, but there’s still a long way to go. Last year’s attack on the Okta supply chain compromised credentials to Okta’s customer support management system and showed that even a trusted security vendor can put us at risk.

And hot off the press, today a new attack has been reported involving the Snowflake cloud storage platform, and Okta, hacking accounts of Santander and Ticketmaster. While few details have been disclosed, this appears to be another supply chain-based attack.

Given this context, it’s welcome news to see that the recently released NIST Cybersecurity Framework (CSF) 2.0 puts a new emphasis on the importance of securing software supply chains to manage the risks of third-party components and dependencies. The updated framework includes NIST software supply chain security guidance for identifying, assessing, and managing risks within software supply chains, ensuring that organizations can protect against vulnerabilities introduced by external suppliers. It recommends implementing stringent security controls, continuous monitoring, and robust incident response strategies to address potential threats.

‍New software supply chain guidelines

The updated CSF 2.0 includes specific controls related to supply chain security under the newly added "Govern" function, particularly within the Cybersecurity Supply Chain Risk Management (C-SCRM) category. This category provides systematic guidelines for identifying, assessing, and managing supply chain risks. Controls in this category encourage organizations to implement stringent security measures, ensure continuous monitoring, and develop robust incident response strategies to mitigate risks associated with third-party components and dependencies​. These strategies are integral to effective software supply chain security risk management.

The new Supply Chain Risk Management (GV.SC) section of the framework includes the following guidelines:

• GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders 
• GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally 
• GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes 
• GV.SC-04: Suppliers are known and prioritized by criticality 
• GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties 
• GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships 
• GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship 
• GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities 
• GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle 
• GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement 

‍How do we implement this?

These new guidelines focus directly on best practices that sound obvious, but can be difficult to achieve, such as knowing all your suppliers, prioritizing them by criticality, and integrating supply chain security into all your processes such as risk management, vulnerability detection, prioritization, and remediation. 

Understanding where business-critical software comes from, and vetting vendors carefully is always a good idea. But the challenge runs much deeper, because software is rarely monolithic or built by one trustworthy vendor. Almost all modern software is built on a complex stack of third-party tools, libraries, and open-source components, with unclear provenance, and source-code that can’t easily be reviewed.

‍Best practices to improve supply chain security

There are a number of tools that have been developed post-SolarWinds that can help with supply chain security, but they need to be put in the context of a complete end-to-end program. Here are some best practices and tools that can help:

• Maintain an accurate Software Bill of Materials (SBOM): Create and update an accurate SBOM for all software components used in your products, including open-source and third-party libraries, and ensure they are free from known vulnerabilities.
• Secure development and deployment practices: Adopt secure coding practices and automated testing tools (SAST and DAST) to identify and fix vulnerabilities before software is deployed. 
• Use Software Composition Analysis (SCA): regularly run SCA tools on all your code to identify third-party components and map them to any known vulnerabilities.
• Continuously aggregate, correlate, and prioritize threats across tools: Application Security Monitoring (ASPM) platforms like AppSOC, can play a critical role in consolidating vulnerabilities, reducing false positive noise, and ensuring end-to-end visibility across development and operations teams. These platforms are essential software supply chain security tools.
• Understand software hierarchies and dependencies: Tools like AppSOC provide a visual map of libraries, microservices, and applications, so you can quickly pinpoint widely used components.
• Efficiently remediate and monitor compliance: Modern ASPM tools like AppSOC should provide automated remediation workflows, and track SLA performance of each team to ensure issues are addressed reliably and nothing falls through the cracks. This is crucial for software supply chain security automation.

‍Why This Matters

While the NIST Cybersecurity Framework is a set of recommendations rather than regulations, it provides valuable guidelines and best practices to help organizations manage and reduce cybersecurity risks. While it is widely respected and adopted across various industries, it does not carry the force of law or regulatory requirements. However, compliance with the framework, including its guidance on secure software supply chain practices, can help organizations meet other regulatory obligations and improve their overall security posture.

By focusing on supply chain security, the framework aims to enhance overall cybersecurity resilience, helping organizations safeguard their operations from disruptions and maintain the integrity of their software ecosystems.