A May 30 report from research and advisory firm Gartner, Get Ahead of the Expanding Risk Frontier: Supply Chain Security, found that “supply chain leaders rank cyberattack risks at the top of their list of concerns, yet only 10% of them characterize the relationship between their function and IT as strategic.”
Which is both ironic and troubling, since plenty of help is available for anyone who cares to use it.
Developing effective procurement language in contracts
It was more than three years ago that Mike Ahmadi, then director of critical system security at Synopsys (now vice president of transportation security at DigiCert), and George Wrenn, then CSO and vice president cyber security for Schneider Electric (now founder and CEO of CyberSaint Security), offered extensive advice on how to develop effective procurement language, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability and—most of all—security of the software they are providing.
That ought to be fundamental since, as we all know, when people sign something, they tend to take it more seriously.
Using automated testing tools
Second, it is well known by now—the annual Open Source Security and Risk Analysis (OSSRA) report by Synopsys has been documenting it for years—that software today is assembled with up to 90% of the final code coming from a combination of open source and third parties.
An organization that doesn’t know, and test, what’s inside that code is asking for supply chain problems. And as Ahmadi pointed out back in 2016, doing that doesn’t have to mean laborious, time-consuming manual reviews. Instead, automated tools will help you do it more accurately and much faster.
“You could manually comb through and create test cases that could fuzz something at a protocol level,” he said. ”Or you could connect them to our automated testing tools, push the button, and wait.”