Listen to the Article
Software supply chain security is a paramount risk and compliance challenge in today’s digital landscape. Yet many corporations tackle it in a disorganized manner, leaving significant vulnerabilities exposed. On a more positive note, Gartner’s research shows that by 2027, 80% of institutions will apply specific processes and tools across their entire operations to address software supply chain security risks, a significant rise from about 50% in 2023.
This article outlines how security and risk management leaders can strengthen their defenses by using a simple three-part framework.
Address All Weak Points in the Software Lifecycle
Create a clear plan to improve Software Supply Chain Security (SSCS) that looks at all risks in the operation. This will require you to follow the three main steps to address curation, creation, and consumption. You are going to start by working with important stakeholders, including those in security, software engineering, procurement, and vendor risk management. Read on to learn how your company can develop and implement strong plans to fix any gaps in processes.
Key Attack Surfaces and Emerging Risks
Recently, several damaging attacks underscored the need to pay more attention to the security of the software supply chain. Breaches could cost a business billions of dollars, with estimates predicting growth of 200% to 138 billion USD by 2031. Here are some of the many problems that need your attention:
Software Development Environment: Attackers are breaking into development areas, secretly adding malware to the software that companies release. This is a serious risk to everyone’s digital safety
Malware in Code: In 2023, enterprises found malware in 245,000 open-source packages—double the amount discovered in all previous years since 2019
Open-Source Risks: About 90% of proprietary code uses shared components, and 74% of these have high-risk components
Neglected Open-Source Dependencies: Nearly half of public libraries have not been updated for over two years
These four data points clearly show the growing necessity for a unified strategy.
The Need for a Unified Strategy
According to the Gartner Technology Adoption Report, about 59% of leaders said they have either already launched or are in the process of enforcing new measures. Yet, field research reveals that organizations tackle only isolated facets of the issue, resulting in uncoordinated efforts marked by redundancy and inefficiency. Alarmingly, many are now reexamining their supply chain strategies. Moreover, 67% of participants affirmed their intent to reassess or had already begun to re-evaluate their security strategies as of May 2024.
To navigate these complexities, it is essential to view software supply chain security through a holistic framework encompassing three critical pillars: curation, creation, and consumption. This method helps pinpoint areas that need better protection and lowers risks during development and use.
The Three Cs of Security
Software supply chain security includes the important processes and tools used to build, manage, and use digital products. The following methods aim to prevent attacks and stop your own code from being used to help carry out attacks:
Curation focuses on carefully examining the dangers of third-party software. It ensures that the program is acceptable without compromising safety.
Creation focuses on secure development, protecting the solution, and strengthening the development process.
Consuming digital products helps prove their reliability and builds trust through careful checking, tracking the origin, and ensuring they are traceable.
Step 1: Curation
The efficiency of software development and its security depend largely on the curation pillar. At its core, curation is the process of rigorous evaluation of components to ensure they meet compliance standards. Early risk identification is the foundation of a proactive strategy to remove substandard and defective artifacts, thus reducing delays and other inconveniences.
To curate effectively, you can use different methods:
Curating a safe code repository lets developers work in-house without relying on outside resources. Sure, building a secure ecosystem takes a hefty investment in infrastructure, but it pays off big time, giving businesses solid support and dependable resources in the long run.
Automated curation tools and services like JFrog Curation, OpenText Fortify, Open Source Select, and Sonatype Repository Firewall provide efficient means of evaluating and controlling artifacts. They leverage a mix of proprietary research and public data to evaluate package risks. Firms can also opt for support services from providers like Red Hat or Tidelift for maintenance and updates.
Development teams, security experts, and open-source program offices handle curation tasks. Despite Gartner’s recommendations, many organizations fail to conduct proactive risk assessments due to poor protocols and a lack of awareness. Neglecting maintenance checks can lead to significant operational issues, including vendor risks and delays in fixes, prompting developers to seek alternatives.
Curation Action Plan
To enhance the curation pillar, implement the following activities:
Assess Dependencies and Artifacts: Check for weak points and dependencies before adding them to your code. Use a trustworthy database, perform assessments if you are relying on an open source, and even consider commercial subscriptions. Analyze risks like known vulnerabilities, license issues, and supply chain risks using tools and metrics like the Open Source Security Foundation Scorecard.
Acquire and Evaluate SSCS-Related Artifacts: Obtain key artifacts for Software Supply Chain Security (SSCS), such as Software Bills of Material (SBOMs), Vulnerability Exploitability eXchange (VEX) disclosures, and attestations of secure development practices from reputable vendors.
Test Code and Artifacts: Rigorously test code and artifacts to identify any malicious elements or vulnerabilities.
Implementing these strategies strengthens product design and enhances resilience against threats, fostering secure innovation.
Step 2: Creation
The development pipeline consists of key components that are prime targets for attacks, which usually kick off with phishing or credential theft. Cybercriminals often sneak in malicious code, mess with sensitive data, and swipe intellectual property. To stay ahead of these threats, companies need to follow tried-and-true frameworks that help protect against these nasty risks.
Creation Action Plan
In the creation pillar, there are four smart actions you can take that will really make a difference:
First, reassess dependencies before development to identify threats and set usage controls. Validate findings to detect unauthorized ones and improve incident response.
Second, perform risk assessments to reduce risks, especially when curation is weak, and enforce strict build process controls.
Third, use tools like Supply-chain Levels for Software Artifacts to apply rules and control access. Monitor direct system connections using Privileged Access Management (PAM).
And fourth, generate Software Bills of Materials and Vulnerability Exploitability eXchange disclosures during the build. Share them with internal teams and external partners to improve defenses and trust.
Step 3: Consumption
When acquiring a program, it is important to evaluate both commercial and open-source options. This helps identify and reduce risks, especially given that cyber attackers can insert harmful code into commercial software. Poorly maintained data with insecure dependencies creates significant technical problems and puts users at risk.
Gartner recommends three key activities to manage software-related risks linked to vendors:
Integrate security assessments in vendor risk management
Organizations should closely examine vendor practices using the National Institute of Standards and Technology’s Secure Software Development Framework. Collaboration between security leaders, procurement, and vendor risk management is crucial for thorough evaluations.
Demand transparency about software composition
Creating a Software Bill of Materials is essential for understanding the code’s makeup, including dependencies. Resources like the Open Source Security Foundation Scorecard project can help buyers assess vendors’ commitment to application safety.
Implement specialized testing to uncover malicious code
Techniques like sandboxing and traditional penetration testing can help detect threats. Before testing, it is a good idea to seek legal counseling. This will help you follow all current regulations.
Following these steps should ensure that your organization stays up-to-date with the latest 2025 defense programs and applications while strengthening trust in the software supply chain.
Consumption Action Plan
To make the consumption pillar work better, try these simple steps:
Streamline Processes and Leverage Technology: Use up-to-date tools and techniques to handle software bills of materials, vulnerability reports, and security docs more efficiently in the supply chain. This will help you get the info you need and boost your risk management game.
Establish Comprehensive Risk Policies: Create clear policies that define acceptable risks for commercial and open-source libraries. This should include:
Legal considerations tied to licensing terms
Indicators of tool health, guided by resources like the public code security foundation scorecard
Confirm Robust Attestations: Require attestation of adherence to secure digital product development practices, referencing frameworks like the Secure Software Development Framework and other relevant regulations.
Vigilantly Track Dependencies: Track both open-source and commercial programs used in your applications. This will help you quickly determine which systems are affected.
Implement Rigorous Active Testing: For high-risk systems, use methods like checking for vulnerabilities and testing for weaknesses. This helps ensure you meet legal and regulatory standards.
Adopting these strategies enhances software security and risk management, fostering resilience and trust in the technology you choose.
Key Takeaways
Attacks on supply chains, which include both proprietary and commercial code, create serious security, regulatory, and operational risks for organizations. The costs from these incidents are expected to rise sharply, from 46 billion USD in 2023 to $138 billion by 2031. That is why, all around the world, strict laws and regulations, along with informal industry guidelines, are pushing enterprises to take stronger steps to improve software supply chain security and address threats.
The Gartner survey showed that nearly two-thirds of firms have started or are planning these initiatives. However, despite all efforts, many intrusions and key metrics reveal significant gaps in your defenses, highlighting just how disjointed these projects are. Therefore, companies must start adopting a unified approach to improve their protection and reduce these critical risks. Luckily, you can find expert help and detailed articles on the topic, just like this one, so you know where and how to start — today.
