We are business leaders. When we talk about supply chain, we are tasked to expand our focus beyond cyber risks to look at things that have a larger impact on our organizations, such as: the diversification of supply and suppliers, reducing carbon footprints, governance issues, and other matters of importance in the business world.
But instead – as was the case 10 years ago – we’re stuck talking about the vulnerabilities supply chains introduce. It is time to put a stop to unnecessary supply chain vulnerabilities. Let’s establish a workable framework that can serve as a first line of defense to lower the perpetual risk of having these issues.
Like other parts of the business, we depend on suppliers who themselves depend on third, fourth and fifth parties. For the most part, there is no active examination of their products until a vulnerability is discovered, at which point it’s too late.
Take the zero-day vulnerability published in December 2021 about Apache Log4j. This vulnerability came from an obscure open library. No one was paying attention.
Our knee jerk reaction is to patch, which is necessary. We have to stop doing things after the fact and understand what risks we introduce by failing to have a verification and validation process, agreeable across the industry, that won’t be an impediment to getting things done.
Below are some major factors contributing to these vulnerabilities and recommendations for mitigating them:
1) Open source software. When we use open source software, in many instances it’s packaged with many modules. We may only need one or two pieces, but people tend to take the whole package and install it. We open ourselves up to risk by introducing libraries that aren’t doing anything for our organizations, but can contain vulnerabilities that someone can exploit.
The solution: Install only what you need. Do the analysis. Don’t take the whole bundle and put it in.
2) Coding that doesn’t follow accepted standards. Coding continues to be very unstructured, despite the existence of various standards. Developers have the freedom to put in what they want, and aren’t necessarily following standardized structure. They may be putting the coding in an environment that is secure, but aren’t making sure it won’t develop issues in other environments. The current climate of getting to market fast rather than getting it right is only encouraging that laxity.
The remedy: We need, as an industry, to require software developers to follow agreed, acceptable standards. Otherwise, we will never know if there have been quality checks when we buy something. After the fact, we’re going to find out that we’ve installed a piece of Swiss cheese, with holes everywhere. The cycle will repeat again and again.
3) Lack of transparency. There is not a lot of transparency on those packages. We rely on vendors to tell us what has been done. We don’t have a lot of insight into what’s inside until it’s too late. We need details about what pieces have gone into the technologies.
The answer: Demand a move from obscurity to greater transparency. I’m not asking for anyone to give away the secret sauce. But the push must be for the supply chain to be more honest and open.
4) We’ve been turned into guinea pigs. Because of the immense pressure to get technology to market, developers often don’t do a lot of rigorous testing. Customers are used as the test pad. We’re the ones who end up doing the penetration testing and dynamic application testing after we’ve installed the software. We have a piece of software that might be critical to our business, but we put ourselves at risk because the developer didn’t test extensively.
The antidote: Demand proof of some baseline testing at the very least. We shouldn’t be the ones to find out that there is a vulnerability that would have been discovered if the developer had done the testing.
Supply chain inherently has many deficiencies. Time consumed with the vulnerability problem is not allowing to think about things like automation and consolidation. If we correctly address how to fix this, it will make our lives easier.