If you’re a cybersecurity professional working at any modern, connected organization that handles sensitive data and holds valuable intellectual property, the specter of a software supply chain compromise looms large.
Incidents such as the hacks of SolarWinds and 3CX’s desktop app, or the malicious takeover of the xz Utils open-source project, are reminders that threats and attacks may lurk in software from your most trusted suppliers whose applications and services are vital to the functioning of your organization. The question is: What is the best way to get a handle on a problem as large and amorphous as software supply chain risk?
Get started with RL's new how-to book, Software Supply Chain Security for Dummies. It’s a concise and well-sourced guide for anyone who is looking to manage their software supply chain risks. Published by Wiley, the new book is the latest addition to the celebrated “Dummies” family of how-to guides. Geared to the needs of both software producers and enterprise buyers, the book is a must-read for anyone hoping to stand up a robust software supply chain security program.
The guide is the work of co-authors Paul Roberts, ReversingLabs' head of editorial and content, and Charlie Jones, ReversingLabs' director of product for software supply chain security. It also contains contributions from Ashlee Benge, ReversingLabs' director of threat intelligence.
Here are three key takeaways from RL's new guide, Software Supply Chain Security for Dummies.
[ See RL's new Essential Guide: Software Supply Chain Security for Dummies ]
1. Understand supply chain security from the ground up
Software Supply Chain Security for Dummies identifies the core elements of a modern and effective software supply chain program and details the steps your organization can take to secure development environments; search for evidence of malicious activity within your development pipeline; and defend your environment from threats lurking in compromised or malicious software.
The book comes amid a worrying uptick in attacks targeting software supply chains. Data from ReversingLabs recorded a 1,300% jump in malicious packages discovered on open-source repositories between 2020 and 2023. There have also been dramatic and high-profile compromises of both commercial and open source code, including SolarWinds, 3CX, and the open-source xz Utils.
2. Follow best practices for identifying supply chain threats
The extensive web of proprietary, open-source, and commercial software and services that power modern organizations makes the job of tackling supply chain risks daunting. Add to that the difficulty that existing application security and third-party cyber-risk management (TPCRM) practices have in identifying modern supply chain attacks.
To help set the course for more robust software supply chain security practices, ReversingLabs' new "Dummies" book lays out best practices and tools that organizations can use to help identify stealthy supply chain attacks. Chapters explore the landscape of modern software supply chain risks and threats, discuss approaches to securing modern development and to build and release processes, and examine ways to manage cyber-risks in third-party commercial software. That includes the use of complex binary analysis, which both software producers and buyers can use to vet compiled and signed software binaries to detect evidence of compromise or tampering before the software is deployed.
3. How to best hunt for supply chain compromises
Finally, Software Supply Chain Security for Dummies walks the reader through methods for leveraging file threat intelligence and threat hunting strategies to zero in on software supply chain risks. Those include attacks on development infrastructure and pipelines as well as warning signs such as file rot (old files), exploitable vulnerabilities, leaked secrets, and more.
As with any issue related to cybersecurity, there is no silver bullet when it comes to securing your software supply chain. Organizations need to assess their risks and then plan and invest for the long term to safely manage those risks. That’s where Software Supply Chain Security for Dummies comes in, exploring the many elements of a modern and effective software supply chain program and talking about the steps your organization can take to both secure development environments, search for evidence of malicious activity within your development pipeline, and defend your larger software supply chain.
