One of the first things a consumer organization should do is track what it’s using. Compile a Bill of Materials and get credible assurances from its producers that they are also tracking what they are using and keeping it up to date.
There’s considerable advice, in great detail, available on how to do that. Here are a few useful sources.
Hold your producers responsible
Mike Ahmadi, former director of critical system security at the Synopsys Software Integrity Group (SIG) and now vice president of research at Farallon Technology Group, and George Wrenn, then CSO and vice president cyber security for Schneider Electric and now founder and CEO of ZenPrivata, offered extensive advice in a 2016 podcast on how to develop effective procurement language. That’s language designed to hold a producer or other third party contractually liable for the statements they make about the quality, reliability, and—most of all—security of the software they are providing.
That ought to be fundamental since, as we all know, when people sign something, they tend to take it more seriously.
Manage your open source with automated security testing tools
Second, it’s well-known (the annual Open Source Security and Risk Analysis (OSSRA) report by Synopsys has been documenting it for years) that software today is assembled—up to 90% of the final code comes from a combination of open source and third parties.
An organization that doesn’t know, and test, what’s inside that code is asking for supply chain problems. And, as Ahmadi pointed out, an automated software composition analysis tool will examine it more accurately and much faster than any manual method.
“You could manually comb through and create test cases that could fuzz something at a protocol level,” he said. ”Or you could connect them to our automated testing tools, push the button, and wait.”
Learn what others are doing and what works
The Building Security In Maturity Model (BSIMM) is an annual report that helps organizations grow and improve their software security initiatives by documenting what other organizations in their industry vertical are doing and what works. The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Sammy Migues, principal scientist at the Synopsys SIG and a coauthor of the BSIMM, noted in a white paper that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.” Put a bit more simply, it helps organizations avoid software vendors that are less vigilant.
Michael Fabian, principal consultant at the Synopsys SIG, recommends that consumers “engage in a risk discovery and framing exercise, following frameworks outlined by international standards bodies.”