The Possible Threats That Come With Procurement and Acquisition
There are possible threats and potential mitigation measures at each stage of the software supply chain. At the first stop, procurement and acquisition, threats are numerable without proper product evaluation. Undocumented features, malicious or risky code, and vulnerable code or components could leave openings for bad actors to compromise machines and spread malicious programs. A product also could have changed ownership or control, leaving assessors unable to properly evaluate it. Limited or no visibility into product components or requirements leaves assessors unable to make informed decisions and proper evaluations.
Mitigating these threats involves a thorough product evaluation, which ensures that software complies with standards. During product evaluation, CISA stresses the importance of verifying the contents of the SBOM against the product under evaluation. Other mitigation measures include using the same evaluation on third-party suppliers identified in the SBOM and continuously vetting external evaluation labs and verifying their independence.
DISCOVER: CISA's plan to enhance security for federal civilian email systems.
How to Protect Yourself During Deployment
Deployment is the next stage of the cycle, and it should only come after taking appropriate precautions prior to accepting a product from a supplier or developer. At this point, functional testing of the product opens organizations up to several threats, such as product functionality unknowingly changing or the product containing unverified or unknown components. To protect yourself from these unknowns, CISA recommends saving and storing the tests and test environment for future reference and use, as well as verifying the contents of the SBOM against the product under evaluation.
After evaluation, the next step of the deployment stage is integration, where IT teams establish processes for implementation and subject the product to further testing, such as interoperability and production security testing. Vulnerabilities at integration include undocumented software modifications or a supplier’s inability to support the product after customer modifications, as well as products that hide malicious functionality. Internal product modifications, where testers use their own tools rather than the enterprise tools under which the product will be deployed, constitute another threat at this point. Mitigating threats during integration should include using multilayered defenses (such as zero trust), using test credentials instead of real IDs during testing, making the test environment as realistic as possible, and continuously monitoring and reviewing the test environment.
REVIEW: Why zero trust isn’t just a goal, it’s a mindset.
How to Best Maintain the Security of Software Operations
Once a product is evaluated, tested and deployed, the end user or other responsible parties must contribute to maintaining the security of the software enterprise. At this point, environments are vulnerable when anomalous behavior (which may indicate security exposures) isn’t noticed or reported by users.
To mitigate threats, CISA says customers need policies and mechanisms to recognize and mitigate threats encountered through the software. This means users should report any bugs or anomalies to their IT departments as soon as possible. Customers also must teach employees how to recognize and report potential threats. Additionally, customers need the ability to disable or isolate a particular product, and they should have a way to inform all users of product anomalies and security threats.