Key Concept

Understanding Software Supply Chain Management

Supply Chain Management for Secure Software Delivery

What is Software Supply Chain Management?

Software Supply Chain Management (SSCM) encompasses the end-to-end processes involved in the creation and delivery of software products. SSCM focuses on the flow of digital components and artifacts through various stages of development, integration, and delivery. Critical to understanding the supply chain is the use of open source software. SCCM has a heavy focus on understanding low level dependencies and the use of open source packages.

Most development environments rely heavily on open source. According to GitHub's Octoverse, 97% of companies use open source. That number lines up with the Linux Foundation's "Software Bill of Materials (SBOM) and Cybersecurity Readiness" report, indicating over 98% of their study's sample reported using open source software.

Software Supply Chain Management and Digital Components

In an era where cybersecurity threats are prevalent, Software Supply Chain Management serves as a shield against potential vulnerabilities. It minimizes the risk of supply chain attacks and ensures that software components are secure. By streamlining processes and automating repetitive tasks, it enhances the efficiency and reliability of software delivery. This is particularly crucial in fast-paced development environments. Software Supply Chain Management helps organizations adhere to regulatory requirements and internal policies. It ensures that software development practices align with industry standards and legal frameworks. Through meticulous tracking and management of dependencies, it aids in identifying and mitigating potential risks before they escalate.

Software supply chain management includes locating, assessing, and mitigating the risks associated with the consumption of open source software. Managing the risks of using open source software requires knowing what packages are used in software development, even when developers are unaware of the OS packages they consume. Software Supply Chain Management platforms continuously gather software supply chain data and aggregate this information across the organization, providing context for different users, from developers to CISO teams.

Third-Party Software in Your Supply Chain

Software supply chain management starts with understanding the entire inventory of the software packages your digital assets consume and ends with tracking those packages across all runtime environments, from development through production. Your overall global supply chain includes open-source objects, commercial third-party components, and internal common code components. Software Supply Chain Management refers to understanding your cybersecurity risks across all components used by IT teams to create the software they deliver.

In December 2021, we learned a hard lesson when a severe vulnerability was found in a version of one of the most popular open source packages, Log4J. Once discovered, organizations struggled to quickly determine if they were using the offending version of Log4J. Between December 9th and 21st, 2021, Symantec’s intrusion detection system blocked more than 93 million Log4j-related exploitation attempts on more than 270,000 unique machines. (Source: VMWare Security Blog)

 

Log4J Vulnerability stats

Benefits of Software Supply Chain Management

Managing the software supply chain offers many benefits to both Development and CISO teams. Software Supply Chain Management added to an organization’s DevOps pipelines will fortify the overall security of the software development processes.  Key benefits of implementing Software Supply Chain management includes:

  1. Enhanced reliability – careful management ensures the use of dependable components and reduces the likelihood of introducing vulnerabilities.
  2. Minimizing the risk of cyber threats by exposing vulnerabilities and threats.
  3. Enables better control over software dependencies, facilitating easier updates, bug fixes, and overall maintenance.
  4. Streamlines collaboration among development teams, fostering a more organized and cohesive supply chain.

Organizations can achieve greater transparency, agility, and resilience in their software development lifecycle by prioritizing the management of the software supply chain.

Top 4 Software Supply Chain Security Risks

To manage top software supply chain risks, a coordinated approach is needed to address threats. Here are the top software supply chain security risks:

  1. Lack of Provenance (no identity)
  2. Hacking the Build
  3. Guardrails that prevent a fast response
  4. Unknown and Problematic Package Dependencies
Software Supply Chain Security Risks Description How to Mitigate This Risk
Lack of Provenance (no identity) Knowing who is making changes and where they are coming from is critical to the software supply chain. This lack of identity allows an anonymous code ‘hack.’ To manage this risk, code and package signing should be required for usage.
Hacking the Build Most open-source objects are built by individuals or CI systems that rely on uncontrolled scripts. One-off scripts make it easy to inject nefarious objects into binaries, component images, or release packages. To mitigate this software supply chain risk, repeatable builds across a build pool and minimizing scripted processes are needed. Check out the Solarwinds hack.
Guardrails can prevent a fast response Once a vulnerability is identified, the time from an update to release must be condensed. Tight control of the release schedule can become a problem when a  known vulnerability needs to be addressed. The release process should have emergency procedures to go around well-intended guardrails.
Unknown and Problematic Package Dependencies Visibility into shared packages is core to managing the supply chain. Without visibility into shared packages, you have no idea of your risks and vulnerabilities until it is too late. SBOMs and CVE reports mitigate this condition and should be automated as part of the CI/CD process. Check out the recent Log4J vulnerability Learn about Ortelius.io, an open-source evidence store for security and DevOps data.

The Widespread Use of Open-Source in the Software Supply Chain

The widespread use of open-source across global organizations has significantly influenced the need for transparent software supply chain management. Organizations opt for open-source software for a variety of compelling reasons. Firstly, cost-effectiveness is a major driver, as open source eliminates licensing fees, making it an economical choice for businesses of all sizes. Secondly, using open-source often results in faster innovation and the development of robust, high-quality solutions.

According to GitHub, 78% of organizations claim they use open-source software in their supply chain. Recent software supply chain attacks, such as Log4J, have exposed how organizations that consume open-source as part of their development process can become vulnerable to cyberattacks.

percentage of open source software used in a single application

According to a 2017 Black Duck Study, the average percentage of open-source in the codebases of the applications scanned by Black Duck grew from 36% to 57% in 2017. This suggests that applications may now contain more open-source than proprietary code.

Software Supply Chain management controls and exposes the open-source inventory used across teams. Knowing where open-source is running across development, testing, and production environments is critical for rapidly responding to open-source software supply chain vulnerabilities. With open-source software vulnerabilities increasing, managing the flow of open-source packages into an organization’s software supply chain is essential for proactively preventing cyberattacks related to open-source code.

Software Supply Chain Management in a Decoupled Environment

In a decoupled architecture, hundreds of shared ‘feature’ components are developed to create the building blocks of software systems. The concept of a monolithic application goes away. In its place is a logical application that is comprised of a collection of common components, along with application-specific components.

In this type of decoupled architecture, security data, such as SBOMs, is spread across hundreds of independently deployed components. Creating an SBOM for each logical application can be difficult, if not impossible. To solve this, the data must be aggregated across multiple components to create an SBOM and CVE report representing the complete logical solution delivered to end users.  Adding to the complexity is the speed at which independently deployed components are moved across the pipeline. The result is that the logical application SBOMs become highly dynamic, a new one created for each component update.

As decoupled architectures become the norm, Software Supply Chain Management must include the continuous aggregation of security insights to all logical applications impacted by a change in the supply chain. Supply chain versioning will also become critical to understanding the smallest of software changes occurring all day.  From tracking open source components to generating logical application SBOMs, software supply chain management will be essential for development teams committed to delivering safe software to their end users.

Conclusion

Looking ahead, the future of Software Supply Chain Management will likely involve increased automation, integration with emerging technologies like artificial intelligence, and a stronger emphasis on DevSecOps—a collaborative approach integrating development, security, and operations. Software Supply Chain Management is a critical discipline in today’s software development landscape. By embracing SSCM principles, organizations can enhance security, streamline processes, and ensure the efficient and reliable delivery of software in our increasingly digital world. As technology evolves into decoupled architectures, SSCM will play a pivotal role in helping organizations control an increasingly complex system.

Software Supply Chain Management Platforms will evolve to perform:

  1. Continuous tracking of component versions that the logical application version consumes.
  2. Roll-up of Component SBOM reports to each logical application version SBOM report.
  3. Continuous scan of CVEs for all logical application versions based on the SBOM aggregated data.
  4. Central communication system for broadcasting issues across IT teams.
  5. Enhancement of the DevOps pipeline to gather application security data continuously and aggregate the results to the consuming logical applications.

DeployHub Exposes the Open-Source In Your Supply Chain

Open Source Inventory

Tracking the inventory of open source software is a key function of software supply chain security. DeployHub’s open source software supply chain security platform gathers application security intelligence to continuously expose open-source package inventory. With DeployHub, you can view where a single open-source package is consumed by just asking “where is spring running?” DeployHub will answer the question showing where it is running across hundreds of endpoints and environments.

Learn More

Start Tracking Your Software Supply Chain Today

Signup for DeployHub Team and Take Control of Your Open-Source Supply Chain Today for Free

Signup for DeployHub Team, the free SaaS software supply chain security platform. DeployHub Team is based on the Ortelius Open Source project incubating at the Continuous Delivery Foundation.

Signup Today

Suggested Whitepaper

Collecting and organizing evidence is required for a comprehensive view of your organization’s supply chain and risk. Learn how an open source software supply chain security platform can aggregate this level of data across organizational siloes serving IT teams with different data requirements.

Get the Whitepaper

software supply chain catalog explored

Further Reading