Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
    • By Category
      • AI/AI Index
      • Cloud/Cloud Wars
      • Cybersecurity
      • Data
    • By Interest
      • Leadership
      • Generative AI
      • Partners Ecosystem
      • Process Mining
      • Sustainability
    • By Industry
      • Financial Services
      • Healthcare
      • Manufacturing
      • Retail
    • By Type
      • Guidebooks
      • Summits
      • Roundtables
      • Video Moments
    • By Vendors
      • All Vendors
      • AI/Hyperautomation
      • Cloud
      • Cybersecurity
      • Data
  • Courses
    • Cloud Wars Top 10
    • Selling AI, Cloud, Data & Cybersecurity
    • The Demise of Traditional Go-To-Market Strategies
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
Twitter Instagram
  • Courses
  • Summit NA
  • Dynamics Communities
Twitter LinkedIn
Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
        • By Category
          • AI/AI Index
          • Cloud/Cloud Wars
          • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
          • Data
        • By Interest
          • Leadership
          • Generative AI
          • Partners Ecosystem
          • Process Mining
          • Sustainability
        • By Industry
          • Financial Services
          • Healthcare
          • Manufacturing
          • Retail
        • By Type
          • Guidebooks
          • Summits
          • Roundtables
          • Video Moments
        • By Vendors
          • All Vendors
          • AI/Hyperautomation
          • Cloud
          • Cybersecurity
          • Data
  • Courses
    • Cloud Wars Top 10
    • Selling AI, Cloud, Data & Cybersecurity
    • The Demise of Traditional Go-To-Market Strategies
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
    • Login / Register
Acceleration Economy
    • Login / Register
Home » How Software Supply Chain Attacks Highlight Open Source Security Issues
Cybersecurity as a Business Enabler

How Software Supply Chain Attacks Highlight Open Source Security Issues

Chris HughesBy Chris HughesOctober 4, 2022Updated:December 1, 20224 Mins Read
Facebook Twitter LinkedIn Email
software supply chain attacks
Share
Facebook Twitter LinkedIn Email
Acceleration Economy Cybersecurity

You would be hard-pressed to find a more-discussed topic in the cybersecurity industry in 2022 than the software supply chain. This is for good reason, too, as research and studies have shown that software supply chain incidents are increasing exponentially. While sources such as the Cloud Native Computing Foundation (CNCF) Catalog of Software Supply Chain Attacks show incidents dating back to the early 2000s, research from publications, such as Usenix, shows a tremendous uptick in software supply chain attacks.

Graphic: Counting Broken Links: A Quant’s View of Software Supply Chain Security
Source: Counting Broken Links: A Quant’s View of Software Supply Chain Security

Government Response

By now, everyone is familiar with the SolarWinds and Log4j incidents as well as the subsequent publication of the White House cybersecurity executive order. Now, the Office of Management and Budget (OMB) has published a memo, “Enhancing the Security of the Software Supply Chain through Secure Development Practices.”

The memo calls for broad, impactful actions which include mandating all federal agencies to prepare to start requiring self-attestation conformance statements from third-party software producers that they meet practices and activities identified in guidance such as the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF) as well as NIST’s Software Supply Chain Security Guidance. It also states agencies may request a Software Bill of Materials (SBOM) from software producers.

While, at first glance, this memo and associated guidance may seem irrelevant to the commercial industry, it is worth pointing out that the federal government is one of the largest procurers of software in aggregate in the world. This means that these requirements will inevitably have an impact on the software ecosystem. It’s also a sign to the commercial industry of how serious the federal government views the problem of software supply chain security.

It isn’t a stretch to suspect that many large commercial enterprise organizations may start to request similar levels of assurance and digital artifacts from their own software vendors, as well as implement guidance such as Secure Software Development Framework (SSDF) for their internal software development activities.

However, many of these requirements may not be practical for some of the small to mid-sized software vendors, particularly those without robust internal cybersecurity staff and expertise. This presents a challenge that may limit the federal government’s and potentially even large enterprises’ access to the innovative software solutions that small firms bring to the marketplace. But the rapid uptick in software supply chain attacks indicates this is a problem that simply can’t be ignored by the industry, either.

Where Open-Source Software Comes In

Much of this activity is tied to broader efforts to address an industry immaturity related to the consumption, use, and governance of open-source software (OSS). Industry organizations such as Open Source Security Foundation (OpenSSF) have launched efforts such as the Open Source Software Security Mobilization Plan to try and address the pervasive challenges industrywide when it comes to OSS security.

Most organizations simply don’t truly understand the extent of their OSS consumption or use, nor the potential risk associated with it. As highlighted by the OpenSSF plan, the industry overall has overarching problems that need to be addressed. This includes securing OSS production, improving vulnerability discovery and remediation, and shortening the ecosystems patching response time.

It’s no secret that OSS is driving major digital transformations and innovative capabilities in everything such as industrial control systems (ICS), manufacturing, retail, and even the federal government and national security applications. But without proper security practices, development, and governance, it also poses a systemic risk that, left unchecked, can cripple those same industries and have dire consequences for society as a whole. Much like the legend of the Gordian Knot, dealing with the challenges OSS poses may require innovative, outside-the-box thinking that traditionally hasn’t been applied to software or cybersecurity.


Want more cybersecurity insights? Visit the Cybersecurity channel:

Acceleration Economy Cybersecurity

Cybersecurity Cybersecurity channel featured government Internet of Things Open-Source Software software software development supply chain White House
Share. Facebook Twitter LinkedIn Email
Analystuser

Chris Hughes

CISO & Co-Founder
Aquia

Areas of Expertise
  • Cybersecurity
  • LinkedIn

Chris Hughes is an Acceleration Economy Analyst focusing on Cybersecurity. Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group and serves as the Membership Chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. Chris holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and Cybersecurity leaders from various industries to assist their organizations with their Cloud migration journeys while keeping Security a core component of that transformation.

  Contact Chris Hughes ...

Related Posts

Navigating the Impact of AI on Jobs: How to Thrive in the Era of Automation

September 27, 2023

Tech Breakthroughs, Creative AI, and Interstellar Objects | Lochhead on Different

September 27, 2023

Exploring the AI Chip Market Beyond NVIDIA

September 27, 2023

AI Index: Treefera’s Verifies Carbon Credits with AI; EY Launches AI Model; Baidu’s Ernie Bot

September 27, 2023
Add A Comment

Comments are closed.

Recent Posts
  • Navigating the Impact of AI on Jobs: How to Thrive in the Era of Automation
  • Tech Breakthroughs, Creative AI, and Interstellar Objects | Lochhead on Different
  • Exploring the AI Chip Market Beyond NVIDIA
  • AI Index: Treefera’s Verifies Carbon Credits with AI; EY Launches AI Model; Baidu’s Ernie Bot
  • Oracle’s Vision for Transforming Industries in 2023 With SVP Greg Pavlik

  • 2X a week
  • Analyst Videos & Articles
  • Exclusive Digital Business Content
This field is for validation purposes and should be left unchanged.
Most Popular Guidebooks

The State of Process Mining 2023: Unlocking Efficiency and Driving Customer Satisfaction

July 31, 2023

How Workday Creates Agile Monetization Opportunities for CFOs

June 21, 2023

Why & How to Create a Zero-Trust Framework

June 12, 2023

The Ethical and Workforce Impacts of Generative AI

May 26, 2023

Advertisement
Acceleration Economy
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Advertising Opportunities
  • Do not sell my information
© 2023 Acceleration Economy.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.