{"id":4883,"date":"2024-01-09T14:46:24","date_gmt":"2024-01-09T14:46:24","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=4883"},"modified":"2024-01-09T14:58:13","modified_gmt":"2024-01-09T14:58:13","slug":"using-sboms-to-reduce-third-party-risks","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2024\/compliance\/using-sboms-to-reduce-third-party-risks\/","title":{"rendered":"Using SBOMs to Reduce Third-Party Risks"},"content":{"rendered":"

Summary: As digital software supply chains explode, a wave of new third-party risks is introduced into some of the most sensitive ecosystems, including government and critical infrastructure. SBOMs are quickly gaining momentum as a primary way to expose weaknesses in the supply chain and decrease supply chain threats. <\/em><\/p>\n

Since President Biden\u2019s 2021 Executive Order<\/a> made Software Bills of Materials mandatory for federal contractors, SBOMs<\/a> have become an increasingly high agenda priority for security departments of all industries. With supply chain threats predicted to cost the world $60 billion<\/a> annually by next year, they have become a bigger focus. So, how do SBOMs reduce third-party risks<\/a>, and how can critical infrastructure sectors leverage them to their best advantage?<\/p>\n

The Steady Growth of Supply Chain Threats<\/h2>\n

According to Gartner predictions, nearly half (45%<\/a>) of the world will have experienced an attack on their software supply chain by 2025. This is three times the number affected in 2021.<\/p>\n

Several factors account for the increase. Digital supply chain attacks give attackers a high ROI. Think of all the \u201cfree\u201d damage done by Log4j; 40%<\/a> of global networks were jeopardized from a single CVE. Additionally, hyper-distributed environments, remote work, and cloud migration have forced digital supply chains to become longer, more far-flung, and even more intricately connected. This adds to the \u201cmore bang for your buck\u201d appeal, along with force-multiplying attack vectors, places to hide, and statistical chances for error.<\/p>\n

With this in mind, cybercriminals are unleashing more venom into the digital supply chain than ever before, particularly in open-source ecosystems. One industry report notes that the number of malicious packets uploaded to public component registries has tripled<\/a> in the past year. According to the same report<\/a>, \u201cThis pace of growth is astonishing. It signals the role of the supply chain as one of the fastest-growing vectors for adversaries to execute malicious code. Furthermore, we have seen an increase in nation-state actors leveraging these vectors.\u201d<\/p>\n

That meteoric rise in third-party incidents has prompted a harder look at the security levers that could secure the supply chain, particularly SBOMs.<\/p>\n

SBOMs: Defending from the Inside Out<\/h2>\n

While SBOMS are mandatory for any agency selling software to the federal government, they are a growing best practice that is becoming less of a \u201chave to\u201d and more of a \u201cwant to\u201d. With the expansion of digital supply chains, SBOMs have now become an integral part of attack surface management<\/a>.<\/p>\n

Russell Jones, a partner with Deloitte & Touche LLP, U.S. Cyber and Strategic Risk Practice, explained why in an article in WIRED<\/a>. Describing the problem, he states, \u201cTo understand the cyber risk present in software products throughout the supply chain, an organization needs visibility into the components that make up the software product. If a malware or ransomware attack occurs in an Internet of Things (IoT) device or commercial off-the-shelf (COTS) product, companies have a complex web of software vendors to investigate and identify vulnerabilities among a multitude of open source and third-party software components.\u201d To counter that blinding web of software-origin complexity, \u201cSBOMs are like \u2018ingredient\u2019 lists that can help security analysts (and adversaries just the same) more easily identify potentially impacted\/vulnerable components\u201d among so many.<\/p>\n

SBOMs and Critical Infrastructure<\/h2>\n

Critical infrastructure sectors particularly stand to benefit from this degree of build-level transparency.<\/p>\n

Healthcare has been leading the charge to standardize and utilize SBOMs to their fullest, resulting in safer IoT medical devices<\/a> in the field. Now, device manufacturers are creating machine-readable SBOMs that provide useful information for vulnerability management and incident response to hospital-based I.T. teams.<\/p>\n

Other sectors have just as much need for SBOMs, if not more. As much as 90%<\/a> of products used by U.S. electric utilities contain components from China or Russia, which were three times more likely to contain critical vulnerabilities. Disconcertingly, Dark Reading<\/a> reports that new research reveals that those vulnerabilities can \u201clie in wait\u201d for up to three years. Not a comforting thought.<\/p>\n

That\u2019s why critical infrastructure needs to start making the transition. Admittedly, there is much legacy architecture within the O.T. of current CNI sectors<\/a>. However, as Sounil Yu<\/a>, CISO of JupiterOne, says, \u201cLegacy software without an SBOM is like a can of food from the 1920s without an ingredient label. Consume at your own risk.\u201d<\/p>\n

That\u2019s why new legislation makes SBOMs a must for government agencies. The U.S. Army is already considering proactive ways of using them to shore up their vast supply chain<\/a>, stating in their recent RFI that SBOMs would \u201cprovide increased fidelity into the Army software supply chain to query components on-demand and target mitigations for high-risk software components\u201d as well as \u201cenhance the security of the Army\u2019s software supply chain and enable proactive risk mitigation.\u201d<\/p>\n

Moving forward, the future is bright as third-party risk reduction increasingly becomes the rule, not the exception. Early adopters will find the doors to government contracts open to them, perhaps finding fewer compliant competitors than before.<\/p>\n

Itegriti\u2019s expertise lies in securing some of the nation\u2019s largest critical infrastructure sectors<\/a> and can help you (and your supply chain) stay compliant with current government regulations. Our Product Security Platform generates SBOMs in multiple formats to expose lurking visibilities in your software supply chain and clamp down on burgeoning third-party threats.<\/p>\n

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.<\/p>\n

Contact Us: https:\/\/itegriti.com\/kw022024\/contact\/<\/a><\/p>\n

ITEGRITI Services: https:\/\/itegriti.com\/kw022024<\/a><\/p>\n<\/div>