Software supply chain security fixes gain prominence at RSA

Attendees are urged to improve asset management, use SBOMs, and collaborate with government cybersecurity agencies to better ensure software integrity.

Given the significant cybersecurity problems that the SolarWindsLog4j and other software supply chain infections created over the past two years, it’s no surprise that software security emerged as a hot topic at this year’s RSA conference. Ahead of the event, ReversingLabs released a survey it commissioned of over 300 senior software employees on the struggles their firms face in detecting supply chain attacks

Despite the recent spate of high-profile software supply chain security incidents, the ReversingLabs study found that fewer than four in ten companies say they can detect tampering with developed code. In addition, less than 10% of companies are reviewing software at each product lifecycle stage for evidence of tampering or compromises.

SBOM usage is sparse but expected to grow rapidly

When it comes to one crucial emerging tool that can better ensure software security, a software bill of materials (SBOM), ReversingLabs survey found that only 27% of the IT professionals surveyed said their employer generates and reviews SBOMs before releasing software. Of those respondents who do not develop SBOMs, 44% cited a lack of expertise and staffing needed to do so, while 32% cited a lack of budget for implementing SBOM. Only 7% of respondents at companies that don’t produce SBOMs said the reason was that an SBOM wasn’t needed.

The sparse usage of SBOMs is quickly becoming a thing of the past for two primary reasons, Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told RSA attendees. First, because of events like SolarWinds, organizations are starting to demand SBOMs for the software they use as a security measure to identify problematic code.

This article appeared in CSO Online. To read the rest of the article please visit here.



Why the Huawei ban is bad for security

lead centered=”no”
Many believe the ban on exporting U.S. technology to Chinese company Huawei could hurt American tech vendors and do little to mitigate supply chain threats.

Last week, Google reportedly warned the Trump Administration that its current ban on exports to Huawei might actually jeopardize national security by forcing Huawei to create an insecure fork of its Android operating system, according to the Financial Times.

That ban was imposed as part of a Commerce Department effort announced in mid-May which placed the Chinese telecom and tech giant on a U.S. export blacklist, the “entity list,” for its purported efforts to spy on behalf of the Chinese government. Two other companies — the telecom giant ZTE and a memory chip maker, Fujian Jinhua Integrated Circuit — were also placed on the list and the administration is now reportedly considering adding video surveillance company HikVision to it.

Two days before Google’s reported warning was made public, the Washington Post released the results of a survey of 100 cybersecurity experts from government, academia and the private sector who mostly concluded that the ban would only end up hurting U.S. tech companies and further diminish U.S. influence over the security of new products. One of the experts, former Facebook security chief Alex Stamos, now a Hoover Fellow at Stanford University, said that the ban could cause China to “emerge as the indispensable nation in consumer technology.”

This article appeared in CSO Online. To read the rest of the article please visit here.


With supply chain security grabbing headlines, NIST sees new…

lead centered=”no”Supply chain is sexy again, and NIST hopes that means more companies take its supply chain risk guidance seriously./lead

Cybersecurity in the supply chain is a dense, massively complicated topic that lies beyond the comprehension of all but a few dedicated experts. It has nonetheless risen to the top of security challenges organizations face today. “Supply chain is the new black. Supply chain is sexy again. That’s kind of hard to imagine,” said Jon Boyens, manager, security engineering and risk management at the National Institute of Standards and Technology (NIST). Boyens, who manages cybersecurity supply chain efforts at the National Institute of Standards and Technology (NIST), made that comment during a plenary session at NIST’s Cybersecurity Risk Management Conference.

NIST’s long history with supply chain risk

NIST is an old hand at supply chain outside the cybersecurity realm, starting decades ago when it began developing guidance for managing risk in global industrial and defense supply chains. “Supply chain is the most mature in its gestation because we’ve had all sorts of permutations along the way. This is an old topic for defense organizations,” says Matt Barrett, NIST’s Cybersecurity Framework lead.

This article appeared in CSO Online. To read the rest of the article please visit here.