Why Software Security is Most Important
By Dr. Edward G. Amoroso, Founder & CEO, TAG Cyber
The modern supply chain has become an essential component of every company’s IT infrastructure, regardless of its size or industrial sector. Unfortunately, supply chain managers have tended to ignore basic issues of cyber security. In the years preceding its recent cyber attack, for example, Target implemented a supply chain portal that allowed anyone with a browser to identify its vendors and this included the HVAC vendor that was the source of the attack. While no generally accepted methodology exists to fully address supply chain risk, some useful security techniques have begun to emerge in practice.
While it may seem obvious that supply chain issues require governance, many companies simply do not establish such structure. Supply chain security governance must be focused on one mission – namely, to guide and oversee the reduction of cyber risk throughout the supply chain lifecycle. Governance teams must ensure that accurate information is available on supplier inventory and vendor mix. They must also obtain information on relevant geographic and political issues for off-shoring projects.
Vendors delivering functionality must agree to contractual provisions that expressly prohibit intentionally hidden functionality or undocumented features. For many years, vendors felt comfortable hiding back doors for emergency access or including whimsical features hidden by developers. This is not a reasonable practice and supply chain managers must be clear that it will not be tolerated. Clauses should include consequences if back doors, Trojan horses, or other integrity-degrading functions are discovered at a later date.
Software engineers agree that it is impossible to find a well-placed Trojan in software. They also agree that testing can demonstrate the presence of problems, but never their absence. In spite of these limitations, supply chain acceptance processes should still include static checking of coding practices and software design. Acceptance processes should also include dynamic software tests that perform security functional checks along with heuristic and brute force penetration tests. At minimum, this testing will help keep vendors on guard.
Free exchange of supply chain-related information between different organizations about the integrity of vendor-provided products is not common. In fact, the details of a specific engagement with a supplier are considered highly proprietary in most companies. Supply chain managers must take steps, however, to change this situation by increasing their level of information sharing with peer organizations. By comparing notes and lessons learned on individual experiences, systemic integrity problems with a vendor could be brought to light more quickly across the community.
Because the basic concept of open source software is so new and innovative, the corresponding supply chain management process must be completely redesigned. In particular, rather than overseeing the work of a vendor, open source supply chain management requires active, trustworthy participation and contribution to the open source project. Only then can a company begin gauge the level of quality in the code and reasonableness of the solution for a given mission. Even in companies that reject the use of open source, vendor products are increasingly integrated open source into their proprietary solutions.
Under appropriate circumstances, and under the guidance of a competent legal advisor, certain types of controlled deception might help a supply chain team measure the trustworthiness of a vendor. For example, a buyer might request assistance under presumed duress, pleading with a vendor to utilize any hidden back door available to deal with the emergency. If the vendor complies, then the buyer has located a back door. Another example might involve purchasing a twice product, but for different objectives. If differences are identified, then an integrity issue might exist with the vendor.