Supply Chain Economics and Security

Posted on February 5, 2020
Author: RunSafe Security

Let’s face it, supply chains are complex and distributed. Operations matter, and for some it is truly a miracle how many coordinated parts come together into a seamless operation.  In fact, some manufacturers have tens of thousands of suppliers, from raw materials to hardware to firmware to software and everything in between. 

As companies continually increase automation to make supply chains faster and more efficient, the introduction of these innovations almost always includes new software.  Inevitably, these innovations also increase a company’s cyber attack surface. A massive challenge is to incorporate effective cybersecurity in the supply chain so that deployed products and systems are resilient and safe while maintaining high quality and minimizing costs. 

So, what does it take to really build security into the supply chain while keeping the processes efficient?

Inefficient Ways to Incorporate Security

One factor that drives security adoption in the supply chain is compliance. Manufacturers invest in processes that achieve security compliance, but these methods can be inefficient and ineffective as they are the minimum levels of effort to meet a government or industry security standard.

Here are three examples:

  • Cyber Assessments:  Consider the effort involved in reviewing each security posture for thousands of suppliers. Cybersecurity subject matter experts will assess compliance to a standard and develop agreed-upon plans to improve compliance over time. These projects can be time-consuming, onerous, and expensive. Moreover, they often rely on paper-based checklists and subjective assessments, outdated before they are published and minimally effective against preventing real cyber threats.  
  • Penetration Testing:  Another common effort is to conduct regular penetration testing. Naturally, pen testing can identify vulnerabilities that need to be resolved – but often, once the testing is done, the organization cannot allocate resources to fix the problem, so they often find the vulnerability still exists in the next penetration testing cycle. Further, pen testing third-party software, especially in a multi-stage supply chain, only gets you halfway there. Once vulnerabilities have been documented, there’s a whole additional cycle of submitting to suppliers, prioritizing fixes, receiving and installing patches, etc. Not only is the problem multiplied by the number of suppliers, but with an exponentially rising level of effort due to interdependencies. 
  • Patch Management: Another best practice in securing the supply chain is to implement sound and reliable security hygiene processes. But many organizations cannot reach all systems that need to be patched or do not agree on what is a high priority fix sufficient to take down an operational system, even temporarily. And we know (with the continued prevalence of zero-day bugs) that patching never fixes all the vulnerabilities as many exist in the wild waiting to be discovered in the first place.  

Said another way, even if you implement best practices for cyber assessments, penetration testing, and patch management, your processes may be compliant, but your operational systems may not be secure, let alone resilient.

Efficiency = Security Built In

Here are three steps to increase security in your software supply chain efficiently:

  • Integrate DevSecOps Efforts:  One massive opportunity is redefining software development processes to use containers, so that code built-in one software “factory” is both secure and portable to systems in other parts of the supply chain.  This strategy is central to the US Department of Defense’s effort to make secure software development a strategic advantage for national security.  Led by Nicolas Chaillan, Chief Software Officer of US Air Force, the DoD has demonstrated that even one of the world’s most complex software environments can build code efficiently, maintain standards, and secure its products from cyber attacks.  If the DoD can do it, so can Boeing, Lockheed Martin, Ford, General Electric, Siemens, Schneider Electric, Samsung, Cisco, Avaya, Dell, and all the other great manufacturers.
  • Immunize Software:  In a similar way, embedded software is challenging to secure because, as MITRE and DHS relay in this year’s Top 25 Most Dangerous Software Errors, memory-based vulnerabilities are the greatest threat to software, both in terms of the number of vulnerabilities and the severity of the attack.  Instead of spending even more cycles analyzing code, which slows down developers, and managing patches, deploy proven methods to build security protections directly into software development build and deploy toolchains, neutralizing memory vulnerabilities.  Industry leaders like Vertiv, Avocent, and GE Aviation, among others, have already adopted this game-changing approach to automate security protections into software code using RunSafe’s Alkemist. 
  • Key Management:  Implementing device and process identity management, multi-layer code signing, and cryptographic verification of authenticity, integrity, and provenance of software, settings, and data all rely upon modern, robust cryptographic key management.  But building this functionality and key management into your build and deploy processes can be complicated, onerous, technically challenging, and prone to mistakes. Next-generation distributed key management technology from companies like Virgil Security, combined with their easy to deploy SDKs,  automates and synchronizes code signing across your processes at multiple layers to build trusted code that is signed at all the layers, without slowing down supply chain production.  

Organizations that invest in any or all of these tactics to “shift left” and build security into their code will be more efficient and more secure while staying in compliance.   At RunSafe, everything we do is designed to disrupt hacker economics by instantly and effortlessly immunizing software without developer friction.

Click here to connect with our team or to start a 30-day trial of Alkemist now.

Security and Memory Threats