Securing the Software Supply Chain by Michael Lieberman and Brandon Lum

In an increasingly digital world, the importance of supply chain security cannot be overstated. This critical component of cybersecurity has witnessed a surge in attacks, with an astounding 600% year-over-year growth in recent years. As technical professionals, it is imperative to grasp the intricacies of supply chain security, making it a priority for safeguarding organizations against a wide spectrum of threats.

Join authors and well-known cybersecurity professionals, Michael Lieberman and Brandon Lum, as they delve into the complexities of this field, shedding light on the latest threats and best practices. Their book, Securing the Software Supply Chain, will explore key insights from their work, providing you with a comprehensive understanding of the evolving landscape of supply chain security.

Let’s dive in and explore some of the lessons that can be found within this comprehensive guide.


Out Now at Manning.com!


 

What is Supply Chain Security?

At its core, supply chain security involves safeguarding the digital supply chains that underpin the systems and software used by organizations. However, this is no simple task. The supply chain is a complex and ever-evolving ecosystem, comprising numerous actors and systems. Without the right approach, it can become an insurmountable challenge.

 

Origins of Software Supply Chain Security

The concept of supply chain security is as old as computing itself. During World War II, the Enigma machine’s compromise due to supply chain issues highlighted the importance of secure supply chains. Early computer scientist Alan Turing discovered that securing IT systems requires verifying the security of not just the software but also its dependencies. Fast forward to contemporary times, and supply chain attacks have grown in frequency and sophistication. Notable examples include the SolarWinds SUNBURST attack, the Colonial Pipeline ransomware attack, and the Meltdown and Spectre vulnerabilities.

These three attacks, among many more, cost millions of dollars of direct damage, and some estimates go far higher into the billions when considering customer remuneration. Supply chain security is no joke, and to ignore it can ruin your business and harm your customers.

 

Threat Modeling and Resilience

Understanding the risks posed by supply chain security is paramount. Threat modeling within the Software Development Lifecycle (SDLC) is crucial. This involves identifying potential vulnerabilities and developing strategies to mitigate them. Additionally, architecting and implementing a robust supply chain security program is essential for resilience against threats.

 

Implementing Security Controls

A key area of successfully implementing supply chain security is to keep in mind the practical aspect of your controls. It involves implementing security controls to protect against identified threats, while not overburdening your systems. This step is where theory meets action, ensuring that your organization is well-prepared to defend against supply chain attacks.

Now, time to dig deeper into the nitty gritty.

 


Join our Newsletter to stay up-to-date on special deals and new releases!


 

The Bottom Turtle Problem

Supply chain security is not just a matter of securing your internal systems. It extends far beyond your organization’s boundaries. Imagine a chain of turtles, each supported by another below it. This analogy aptly illustrates the intricate web of dependencies in the digital supply chain. If a supply chain compromise originates from an external dependency, it can ripple through the chain, affecting your systems. Therefore, it’s crucial to apply supply chain security practices not only to your systems but also to verify that your dependencies do the same. This recursive problem, often referred to as the “bottom turtle problem,” underscores the need for comprehensive supply chain security.

 

Establishing Trust in a Zero-Trust World

Given the potential for compromises to occur within trusted systems, a zero-trust approach is essential. Supply chain security hinges on establishing trust at appropriate levels and with parties that align with your organization’s risk appetite. This might involve creating a root of trust with your processor manufacturer, enforcing software signing with trusted platform modules (TPM), or establishing trust with software vendors through cryptographic signatures.

 


Securing the Software Supply Chain offers a comprehensive exploration into this critical field. As technical professionals, understanding the evolving landscape of supply chain security is paramount. Understanding what supply chain security is, when and how to implement controls, and why you are doing so, along with the bottom turtle problem, and the concept of trust in a zero-trust world are all key takeaways. By grasping these concepts, and more, we can better protect our software, systems, and users, ultimately fortifying our organizations against the ever-increasing threats in the digital supply chain.

Get your copy of Securing the Software Supply Chain now! Dive deeper into the lessons discussed here, and many more, to ensure your supply chain stays safe and protected.