Do I know what’s in my software?
That is the big question cybersecurity professionals will need to ask in 2023 as they pivot to make software supply chain security a top priority.
At the beginning of a new fiscal year, every organization — regardless of size or geography, is reevaluating its technology stack. As budgets get allocated in the first quarter, we can expect significant overhauls and tighter evaluations, specifically with the looming software bill of materials (SBOMs) mandates going into effect in the next few months. IT and security teams will be increasingly looking for solutions that assess and mitigate software supply chain risks for all software both built and bought to comply with U.S. Executive Order 14028. And now with the White House National Cybersecurity Strategy announcement, it serves as another reminder to organizations that they have until September 2023 to become compliant.
As compliance protocols are set in motion, the market will drive new trends in the software supply chain security space for the rest of the year, including:
IT and security teams will realize that software that is not built securely cannot run securely
With more than 70% of modern software dependent on open source and third-party components, software developers cannot deliver secure software to customers without formal software supply chain management. This realization, and the increasing tampering of popular open source and commercial software packages, will drive an intense focus on ‘what’s in the software?’ and ‘is it built securely?’
Development teams will need to be prepared for CISOs and other security team members, as well as other C-Suite leaders, to provide details about the software being built and used. As a result, software developers will increasingly focus on understanding the different components of the software, where it originated from, its authors, etc.
As for CIOs and CISOs, they will realize that software developers with secure software supply chains will deliver software that reduces risk, requires less emergency patching for vulnerabilities and is less likely to compromise their own companies.
The U.S. Federal Government will continue to roll out regulations around “enhancing the security of the software supply chain”
Another trend in 2023 relates to how companies will comply with the Department of Defense (DoD) on “Improving the Nation’s Cybersecurity,” and in particular “Enhancing the Security of the Software Supply Chain.” I expect the September 2023 deadline to be a wakeup call to software vendors affected by the guidance issued by the Office of Management and Budget (OMB) to all federal agencies. Vendors will not only have to scramble to ensure their software is compliant with the National Institute of Standards and Technology (NIST) guidelines, but also will need to provide self-attestation that it is reliable and can be independently verified.
The recently unveiled White House National Cybersecurity strategy provides a roadmap on how the Biden administration aims to defend against threat actors and protect critical infrastructure. A key point in the framework includes shifting the burden of cybersecurity from individuals, small businesses and local governments and moving that responsibility to technology providers. This is a welcoming initiative, since software not built securely, cannot run securely. This strategy commits the Government to move responsibility to those who supply software not those who consume it.
Organizations will prioritize preventing reputational and financial damage caused by software supply chain security incidents
2023 will also be the year organizations take proactive steps to prevent reputational and financial damages caused by software supply chain security incidents. Last year kicked off with talk of the Apache Log4J vulnerability, a widespread software supply chain weakness that allowed attackers to log a special string of code, exploit their target and install malware or conduct various cyberattacks from there. Due to the sheer number of organizations who used Log4J, the incident shed light on the risk of utilizing third-party, open-source software – and how few organizations have a proper inventory of what components are in their software.
Compounding matters for company leaders, software supply chain incidents come with a cost that transcends financials. According to IBM, the average cost of a breach increased $4.24 million in 2021 to $4.35 million in 2022 — but it doesn’t stop there. Following a data breach, both customers’ and prospects’ perception of the brand and overall loyalty can be swayed. Nearly half (46%) of organizations suffer reputational damage following a data breach.
Software supply chain security is essential to all organizations that build and use software. 2023 is the year that security professionals need to find out what’s in their software: from assessing their SBOMs to attesting their components to detecting tampering and decomposing at all levels for a 360-degree detailed view. To combat software supply chain security incidents, organizations need to utilize a software supply chain management solution that allows it to assess and mitigate risks and the threats they impose, despite the fact that software updates are now happening at such a rapid rate that many SBOMs are probably out-of-date.