The software an enterprise buys can introduce just as much risk into the organization as the software the enterprise builds itself. However, even enterprises that have mature secure development processes are prone to inadequately securing their software supply chain. Why? Because ensuring the software an enterprise is purchasing is secure is hard. Typical software supply chain security programs consist of questionnaires — trusting that vendors are truthful and knowledgeable about their security programs. However, when a testing process is put into place, 90 percent of vendor-supplied applications fail basic security testing.
Even companies that create strong software supply chain security programs end up giving their largest software suppliers an out, as long as the vendors can document their security practices. Enterprises frequently assume that applications from a large software supplier are more secure than those coming from a smaller vendor. However, a recent report detailing how hackers broke into third-party software to steal personal records from federal employees and contractors demonstrates this isn't true.
The report shows that hackers accessed data through an SAP enterprise resource planning application, stealing private information from tens of thousands of national security personnel. The report also states that, "targeting middlemen and downstream suppliers has become common in sophisticated hacking campaigns." Hackers don't care how they access an enterprise's data, as long as they can get to it. As a result, they target the path of least resistance — which is often the application layer — and if enterprises are getting better at securing the applications they build, hackers will then target the applications they buy.
Ultimately, enterprises must hold the software they are buying to the same security attestation standards as the software they are purchasing. Otherwise, for every third-party application the enterprise purchases, risk is introduced into the organization. As the PWC "State of Cybercrime Survey" stated:
"Not all companies recognize that supply chain vendors and business partners . . . can have lower—even nonexistent—cybersecurity policies and practices, a situation that can increase cybercrime risks across any entity that partner or supplier touches."
What can enterprises do? They can start by rethinking their software supply chain protocols. But transforming supply chain practices can be a daunting task if you don't know where to start. The "7 Habits of Successful Supply Chain Transformations" whitepaper provides actionable advice on how to tackle the supply chain problem.