Supply chain security in 2022

The SolarWinds and Colonial Pipeline security breaches are two (of many) incidents that have made supply chain attacks go mainstream. The primary challenge for businesses is that supply chain defense isn’t easy given the hundreds, if not thousands of entry points that need to be monitored along the way. But there are best practices that can help reduce the risk of supply chain attacks when coupled with a well-planned strategy for working with suppliers and vendors. 

Taking the broad view of supply chains

A supply chain encompasses a broad range of relationships – it’s not just what we normally think of as getting physical goods or components from A to B. Every company has a supply chain even if it may not carry that label, because it includes all of the partnership and business relationships an enterprise might have. In fact, a supply chain can refer to any product (software or hardware) and services that are used to develop a company’s own product or service. You want to make sure that partner’s systems and those that have access to your network, are properly secured to reduce the risk of compromise and outages. 

When we talk about software as part of the supply chain, that could mean a software development team working with third parties who submit code to your system. It could also mean buying IT products or code from third party sources that are integrated into the code base.

Once you see the “big picture” of your supply chain, you can set targeted supply chain security goals: assure that every product coming in – software you buy and use, code that someone else has developed, or services used – is secure and following good security practices. 

Code management

Whether you use code that’s been developed by internal teams or from external sources, it’s important to make sure the code management process is validated. It’s especially important when working with sources outside the enterprise to keep signing keys and certificates secure to ensure authenticity. 

Here are three key questions you should be able to answer about managing source code and software products (spoiler: the answer to all three should be “yes”). Vetting these answers carefully will help ensure source code will not create a vulnerability once it’s deployed.

  1. Is there a source code management system (SCM) in place? A proper SCM will make sure code versions are properly managed and that every person who signs in to the system is authenticated with the appropriate permissions. An SCM will timestamp code and log its movements so that it cannot be maliciously manipulated at any point without detection. The SCM must be well managed, to establish a chain of custody to create a sense of trust for the code. 
  1. Are code commits and code properly signed?  Signing should be used to protect all types of software modules and executables, including software drivers, applications, installation files, scripts and firmware modules in vehicles or industrial systems. Code signing and code commit signing should be a required capability of your SCM system. Once a system is in place, ensure that all your developers are properly set up to sign their code commits. Here is a quick tutorial on how to sign commits in Github.   
  1. Is there a software “bill-of-materials” (SBOM) that identifies components and where they came from? In a time when developers are very busy and there is so much open-source code available, it is critical to know where your code is coming from. Not all open-source code is created equal and attackers have taken advantage of known vulnerabilities. If open-source code is being used, it should be disclosed. Identifying open-source components will allow you to more quickly address any vulnerabilities that may arise in the future, whether that is code you manage or from purchased software. Given that this is such a concern, new government software development requirements are focusing specifically on SBOM to reduce security risk.

Prepare for a wave of regulation in 2022

If you can provide detailed answers to most of the questions above, you already have a head start on preparing to meet new secure software supply chain guidelines in response to the Biden administration’s executive orders for companies that provide software to the US government. They call for all forms of code to be protected from unauthorized access and tampering. Phishing-resistant MFA and signing code commits are important security controls to improve supply chain security posture and meet compliance needs. Providing more visibility into what components are being used and how code is securely managed will improve overall security and increase the level of trust with users. 

——

To learn more about how to secure your supply chain, register for Yubico’s upcoming webinar on March 3, “Securing America’s Supply Chain.” Additionally, you can find more information on how YubiKeys are FIPS compliant here.

Talk to our teamTalk to our team

Share this article:


  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability
  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices
  • surface blog crownMicrosofts Surface Pro 10 möjliggör NFC-baserad lösenordsfri inloggning med YubiKeys, för företagDra fördel av det långvariga samarbetet mellan Microsoft och Yubico genom att distribuera YubiKeys tillsammans med den nya Surface Pro 10 enheten för ditt företag. Read morenfcpasswordless