Think of the software supply chain as every software element in your organization—from software development of internal systems to open source or third-party enterprise software to vendors, partners, and even past suppliers who still hold access to company data or IT systems. Attacks on this software supply chain can damage individual departments, organizations, or entire industries by targeting and attacking insecure elements of your software fabric.
At the Modern SOC Summit, George Gerchow, Chief Security Officer at Sumo Logic, and John Visneski, CISO at Accolade, dove into this hugely important topic of supply chain security.
Six degrees of security ecosystems
The discussion started with a look at attack vectors for software supply chains: internal development, open source software, vendors and partners. Throughout the chain, you need to work with every team to protect your internal and external customers and the entire ecosystem. As George states, “You’re only as strong as the weakest link in your security fabric.”
In a pop-culture twist on the complexity of the supply chain, John thinks of it as ‘six degrees of cyber Kevin Bacon’ indicating that “Not only do you need to be concerned about your direct third parties, you also have to be concerned about how they manage vendors, their ecosystem, and their environment.”
Building security relationships
That complexity can grow into an exponential problem as you grow as an enterprise, which is why partnerships are so important in protecting the supply chain. Whether internal or external, it’s all about establishing trust and transparency. “If something is going wrong,” George says, “you need to let your partner know and get it out in the open then work together to mitigate the situation.” Having a one-to-one relationship with each of your vendors or partners is also key, according to John: “You want to build a solid relationship that goes way beyond contracts and payments. You want open communication and transparency.”
Today’s organizations don’t just have a single development team, as John pointed out. There are multiple, agile teams across business operations and verticals, and you need to have relationships with those teams, such as your developers and engineers, to educate them as to best practices when it comes to open source platforms and third-party software. For example, in looking at something like open source software, you want to have an honest risk vs. reward analysis with the team.
At Sumo Logic, the focus is on the overall security posture, baking security into the DNA of the company, not just for the security team, not just the compliance team, but making Sumo a security-first company, both internally and externally. And that definitely includes working closely with partners who store or process data on behalf of the enterprise.
John explains that Accolade takes a “tooth to tail” approach to cybersecurity, focusing on the customer’s experience with Accolade. “From the second they log on,” he says, “they need to have an understanding that their data is going to be protected.” Accolade expects that vendors providing professional services need to share that mindset that security is the core of their business relationship with the company.
Sumo Logic has built a world-class SaaS-based internal security program. George explains that the security team has worked very closely with the community to outline use cases for capabilities and this drives automated security and compliance towards certifications and attestations, all the way to trusted auditors. And, of course, they feed all of it into Sumo.
John sees the ecosystem like an orchestra that needs to work together. Not everyone is going to be the first chair violinist, he pointed out, but you need the other violins and the rest of the orchestra to make that first chair shine. So, too, in the supply chain: you need to understand how each element supports the other elements. It’s figuring out how to support those “first chair” elements—the core elements of your architecture—with which tools and how many layers.
Defense-in-depth used to be the first layer of protection, moving on to least privilege, and now we’re moving towards zero trust as a framework. It’s really important, George believes, to start outlining and setting those types of goals.
“Tun in” to the rest of the conversation...
Listen in as George and John continue the discussion about supply chain security, including:
The pros and cons of bug bounties
Access management and zero trust
Compliance and policy management
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.