- Almost one year after the SolarWinds attack was uncovered, many organizations are still struggling to protect the software supply chain from third-party risk, according to a panel of Forrester analysts speaking at the company's Security & Risk conference this week.
- To support digital transformation, organizations are leveraging artificial intelligence and machine learning, according to Alla Valente, senior analyst at Forrester. For many organizations, the question is whether they are going to buy the technology or build it themselves. If organizations buy the AI or ML algorithms, they are often not properly maintained or proper training is not provided.
- Companies are also introducing a large amount of third-party risk by leveraging open source or buying commercially available software, which contains anywhere from 75% to 90% open source, according to Valente.
A lot of firms rushed towards digital transformation during the pandemic to help maintain business continuity, according to Sandy Carielli, a principal analyst at Forrester. However, there is a question as to whether these companies were prepared for these changes, and what happened as a result.
The result was to create new skeletons for the closet, according to Christopher Condo, principal analyst at Forrester.
"When people are rushing to get new digital transformative features out the door, new UI's, new capabilities, a lot of times they put security last," Condo said. "If you don't think about security up front, you can have issues like secure by design, where you end up having to bolt on security at the end."
A lot of development teams have had a laissez-faire approach to security. For example, most developers just connect to a repo when they download the latest software versions of whatever packages they are using.
"Are those packages being scanned?" Condo asks. "Is everybody even using the same version?"
Another concern is when an open source package is downloaded, it has dependencies on other third-party components, Condo said. Sometimes a single person working on a hobby project may be supporting an entire enterprise application since their particular open source project may be the lynchpin to a specific library or an algorithm.
There is also a newer risk called dependency confusion, Condo said. If a package is not properly named, and given a namespace that is local to a particular enterprise, a hacker can create a package with the exact same name. That package could be inadvertently downloaded instead of the legitimate package.
Another potential entry point includes the tools that many firms use to create software. For example, there are elevated privileges built into their continuous integration server, Condo said. If an internal actor or an outside hacker gains access to that system, that creates another opening for third party risk.
The Biden administration issued an executive order on securing the software supply chain earlier this year, which included a software bill of materials requirement. However, there are gaps in the order, Valente said. For example, the order applies to companies providing software directly to the federal government, but not to companies that are supplying to federal contractors.