the chain.”
Moreover, according to Capterra’s “2023 Software Supply
Chain Survey,” 61% of companies were impacted by a software supply chain cyber-attack in the 12 months preceding the survey. This statistic alone should be a wake-up call for organizations to take immediate action.3
As these threats continue to grow in scope and frequency, the time to act is now. Organizations can no longer afford to operate on blind trust when it comes to software security. They must start holding themselves and their vendors accountable for the security of the software they are using.
TRUST BUT VERIFY
Holding vendors accountable begins with a shift in mindset: from blind trust to trust but verify. Enterprises should take a proac- tive approach by directly analyzing the software they are using in their environments. Surprisingly, many organizations do not realize that this is even possible. However, with the right tools and processes in place, it can be done efficiently and effectively—often in a matter of minutes.
This is where “trust but verify” becomes crucial. Blind trust in software can lead to catastrophic consequences as we’ve seen, but with comprehensive visibility into all software components and dependencies, organizations can begin to safeguard against these risks. This level of visibility can be seamlessly integrated into ev- eryday enterprise cybersecurity processes, ensuring that vulner- abilities are identified, prioritized appropriately, and mitigated before they can be exploited.
IMPLEMENTING SOFTWARE VERIFICATION
To address the challenges posed by software supply chain vulner- abilities, organizations must prioritize integrating software analysis into their cybersecurity processes and workflows. The findings from a recent NetRise research study underscore the critical importance of having a detailed understanding of all software components and risks. Here are some basic steps companies should consider:
Generate comprehensive SBOMs. Creating detailed Software Bills of Materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks ef- fectively. In a recent NetRise study, we generated detailed SBOMs for 100 tested networking equipment devices and found that each device contains 1,267 software components on average.
Implement automated software risk analysis. Using detailed software risk analysis methods, companies can uncover a com- plete risk picture of each software or firmware package, ensuring a thorough risk assessment. In the NetRise study, we found that the average network equipment device has 1,120 known vulner- abilities in its underlying software components. This risk state was over 200 times greater than what traditional network-based vulnerability scanning would lead one to believe.
Prioritize and compare software risks. Once comprehensive visibility is achieved, organizations should prioritize vulnerabili-
ties based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. Using this prioritized list of critical threats, teams can compare and contrast the risk state of differ- ent considered software products. For example, in the NetRise study, we found that there are 20 weaponized vulnerabilities per networking device on average, and looking closer, there are only 7 weaponized vulnerabilities that are also network accessible.
Establish responsible vulnerability and risk disclosure. Once implemented into existing cybersecurity processes and work- flows, companies should establish processes for the responsible disclosure of vulnerability and risk assessment information to their software vendors. This information should be considered confidential and not shared outside the organization. The focus is not to condemn software vendors but to improve the state of software for all parties involved.
By focusing on these steps, organizations can significantly en- hance the cybersecurity of their software supply chain and im- prove the security posture of their enterprise.
BUILDING STRONG VENDOR RELATIONSHIPS
Establishing accountability does not mean alienating your ven- dors. On the contrary, it can lead to stronger, more collaborative relationships. By collaborating closely with vendors to identify and mitigate vulnerabilities, organizations can foster trust and en- sure that both parties are aligned in their commitment to cyber- security. This collaboration can drive improvements in software quality and security, benefiting the entire ecosystem.
In today’s rapidly evolving cyber threat landscape, it’s no longer enough to trust that the software you purchase is secure. The risks are too great, and the consequences of a breach are too severe. By incorporating software analysis into cybersecurity processes and workflows, organizations can ensure that they are effectively man- aging risks in their software and hardware supply chains.
Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not just best practices—they are es- sential steps for any organization looking to protect their digital assets. It is time to move beyond trust alone. It’s time to verify. By adopting these practices, organizations can build a robust founda- tion for their cybersecurity efforts and safeguard their operations against the growing wave of software supply chain attacks.
Now is the time to act. Integrate software analysis into your cybersecurity process today and take control of your software supply chain security.
Tom Pace is the co-founder and CEO at NetRise Inc.
REFERENCES
1. SBOMs Critical to Software Supply Chain Security, Security Boulevard, August 13, 2024.
2. 2024 Verizon Data Breach Investigations Report (DBIR), Verizon.
3. Three in Five Businesses Affected by Software Supply Chain Attacks in Last 12 Months, Gartner/ Capterra, May 11, 2023.
   64
SEPTEMBER/OCTOBER 2024 | SECURITY TODAY
SOFTWARE SECURITY