An updated guide on risk management practices recommends that companies pay more attention to the security of their software supply chain.
- Limiting access to software development environments and other ICT supply chain infrastructure and monitor remote access to those environments.
- Adopting “architectural designs, software development techniques and systems engineering principles that promote effective information security.”
- Structure internal intrusion monitoring and anomaly detection services to look for supply-chain related vulnerabilities, including back doors and malicious code implanted during software development.
In the report, organizations are advised to achieve software supply chain security, in part, by mapping their information systems supply chain and their operational dependencies on external organizations and suppliers. If no program already exists to do so, NIST advocates creating an “acceptance testing” program that assesses third-party software security, including searches for exploitable vulnerabilities, back doors or other malicious code. (Veracode’s Vendor Application Security Testing (VAST) is a good example of just such a third-party assessment program.) The security of software supply chains is becoming a source of concern for security-conscious firms. Recent years have seen sporadic reports of security lapses in software and hardware supply chains. In 2012, Microsoft’s Malware Protection Center (MMPC) said it had observed an increase in malicious code infections linked to freeware and pirated software that is distributed globally. Malware authors, Microsoft said, were wrapping free versions of Adobe Flash and other applications with malicious wares. More recently, the Russian government claimed that teapots imported from China that apparently came implanted with malicious software that could enable the kettles to connect to wi-fi enabled devices within 200 meters and infect them. The cyber risk of third-party suppliers for everything from laptops to automobiles is difficult to assess, though there are startups that are attempting to elucidate that market. What is clear: regulators and industry groups are taking notice. Already, the Financial Services ISAC (FS-ISAC) has issued guidance on how to manage the security of third-party service and product providers, which includes a call for better policies governing the use of open source and third-party components, as well as static binary analysis for third-party software modules. OWASP, also, has put the security of third-party software components on its Top 10 list of web application security concerns. Finally, for banks, the Office of the Comptroller of the Currency recommended that regulated entities assess and manage third-party risk in their October, 2013 Bulletin (2013-29). For more on threats to supply chain security, check out our video series Talking Code, collaboration between Security Ledger and Veracode. You can also check out the Veracode Web page for information on Veracode’s VAST application security testing program.