What to do about it: Technology buyer lens
- Align supply chain risk management requirements. Buyers can start reviewing guidance such as SSDF and BSIMM now to consider how to incorporate them—as well as related independent validation and verification testing and breach notification activities—into contractual requirements and SLAs.
- Plan for using a Software Bill of Materials. A Software Bill of Materials will bring transparency into which third-party open source software libraries have been incorporated within a software product—whether commercial, proprietary, or open source. Armed with this information, a buyer can identify risks within each application, such as unpatched vulnerabilities disclosed within the National Vulnerability Database. Since vulnerability disclosures will occur throughout an application’s lifespan, implementing a continuous monitoring process for new disclosures is key to maintaining a fully patched deployment, as is validating that all patches match the origin of the application or its libraries. Buyers should look to suppliers for attestations when there is any question of applicability of any given weakness, vulnerability, patch, or associated mitigations.[RJB] Most importantly perform a software supply chain risk assessment BEFORE any attempt to install a software package - check out this Energy Central PowerTalk for best practices
- Apply zero trust. Buyers also need to consider zero trust, threat-informed defense approaches to safeguarding their own environments from continuing supply chain risks.
Never trust software, always verify and report! ™