Managing the software supply chain of your applications is challenging but necessary.
A great way to get started is simply by knowing what’s in your applications. You can use an SCA solution like Black Duck to assemble a software Bill of Materials. A good SCA solution, however, goes well beyond just identifying open source components. It can report on known vulnerabilities associated with the components you used, giving you a quick view into which components might expose security vulnerabilities in your application. In addition, an SCA solution can identify which licenses go with which components and can quickly let you know if the components you used have licenses that are compatible with how you want to sell and deploy your software.
After you’ve established a baseline of protecting your application supply chain, branch out to cover the entire surface. For first-party code, incorporate static application security testing (SAST). If your SCA tool has binary analysis capabilities (such as Black Duck Binary Analysis), you can use it to understand the composition of container images you are using for application deployment. Any infrastructure-as-code that you are using for your application can likewise be scanned with a SAST tool.
Remember that the supply chain extends all the way to when the user interacts with your application, so make sure you understand the scope and breadth. Then make plans to reduce risk holistically.
Documentation is key to success. A good starting point is the SBOM. The recent executive order is a bellwether; customers and executive teams alike will start to require evidence of supply chain security as a part of the products or services you deliver.
Application development and application security are converging. Effective risk management demands that security is part of the entire application supply chain. If you haven’t started, consider incorporating SCA or SAST into your process. If you’ve already started, make sure you are thinking about the full breadth of the supply chain and expand your activities for better coverage.