How to cybersecurity: Software supply chain security is much bigger than you think

By : By Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group | Thursday, March 24 2022 - 13:30 IWST

Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group
Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group - My wife and I have four children, which means we’ve done a ton of shopping at Costco over the years. First it was diapers, then cereal, then every other kind of food, all of which provided significant savings for our family of six. 

Costco sells plenty of other stuff too, and for whatever reason I am always tempted to get that gazebo, or that sectional couch, or that pair of kayaks. 

The thing about Costco, though, is that it is a cavernous warehouse, which creates The Costco Effect: everything looks smaller than it really is. If I ever bought that gazebo, I wouldn’t be able to fit it in my back yard. If I ever got that couch, I might be able to fit it in my family room, but I probably wouldn’t have space to walk. 

The Costco Effect applies on a smaller scale, too: it might seem like a good idea to buy 24 rolls of toilet paper (what a great price!), but do you have the space to store it? 

Components of the software supply chain

Software supply chain security is similar. You hear about it or read about it, and it makes sense, and you think you have understood. But when you take it home and try to apply it to your own organisation and your own processes, you realise it is much bigger than you thought. 

The software supply chain is everything from the idea of the application all the way through to customers using it. 
The part that everyone understands is how third-party components are used as building blocks to assemble an application. These components are almost always open source software components, although third-party commercial components are also sometimes used.

It’s clear that the security of these components has a direct impact on the security of the assembled application. Software composition analysis (SCA) tools like Black Duck® do a good job of helping development teams keep track of their components and manage risk from both a vulnerability perspective and a licensing perspective. 

However, managing risk in the software supply chain also means security must be considered at the time of component selection. When developers are creating new functionality, they might choose a component to be included in the application. The development process needs to have some safeguards so that when developers choose components, they base that choice on risk and not solely on functionality. 

Furthermore, where do the components come from? Developers have available to them a variety of technologies that easily retrieve components, such as npm or Maven. Can you trust these? What if the component repository is compromised? How do you know you’re getting the thing you asked for? A comprehensive security process addresses these questions. 

Developer tools and deployment of applications

Build tools are another category that is easy to overlook when thinking about the software supply chain. This includes developers’ editors, plugins, compilers, utilities, and anything else used in building an application. In airplane manufacturing, for example, the supply chain includes the seats, engines, rivets, and other parts that are assembled into an airplane, but it also includes the wrenches, rivet guns, scaffolding, and anything else that is used during the assembly of the airplane. 

Deployment of an application is also part of the software supply chain. Nowadays many applications are deployed into containers, so the same questions apply to software supply chain security. How are container images selected? What types of risk assessment have been done or need to be done? And just as important, where are the container images coming from? Can you trust the repository? 

The software supply chain might be bigger than you thought, but the solution is a comprehensive approach to security. Nobody talks about airplane manufacturing separate from safety — every design decision, every selection of parts, every phase of airplane manufacturing has an undercurrent of safety.

Similarly, security and software are becoming inextricably entwined. The process that leads from application design through implementation, deployment, and maintenance must have security infused at every phase. 

Managing risk in the software supply chain is challenging but important. Software risk is business risk. Using a holistic approach to reducing risk in the software supply chain provides solid benefits in building trust in software. 

News Comment

Today's Industry

Collaboration and innovation is a common thread of various Business Twenty (B20) forums as an important part of G20 activities in 2022. (Foto:

Selasa, 21 Juni 2022 - 17:53 WIB

Inter Sectors Collaboration in Strengthening SMEs, Key for Post-Pandemic Recovery Acceleration

Indonesia owns an important role to support the world’s policy that prioritize various parties collaborations as the key to realize an inclusive world economy, included Small Middle Enterprises…

Collaboration and innovation is a common thread of various Business Twenty (B20) forums as an important part of G20 activities in 2022. (Foto:

Senin, 06 Juni 2022 - 21:35 WIB

Collaboration and Innovation, Key to support Inclusive Economy Growth

Collaboration and innovation is a common thread of various Business Twenty (B20) forums. This is an important part of G20 activities in 2022. That matters are also going to become a main key…

NORD-DuoDrive.jpg: The innovative and patented DuoDrive geared motor reaches outstanding system efficiency Image: NORD DRIVESYSTEMS

Selasa, 17 Mei 2022 - 14:00 WIB

NORD DRIVESYSTEMS at LogiMAT in Stuttgart From 31st May to 2nd June 2022 NORD will present innovative drive solutions for intralogistics

The specialist LogiMAT exhibition in Stuttgart offers as comprehensive overview of the intralogistics and process management market. As one of the market leaders for drive technology, NORD presents…

President Jokowi attends the meeting between ASEAN leaders and American entrepreneurs at Intercontinental the Willard Hotel, Washington DC, Thursday (05/12). Photo by: Laily Rachev

Selasa, 17 Mei 2022 - 13:00 WIB

President Jokowi Invites US CEOs to Boost Cooperation with Indonesia

President Joko “Jokowi” Widodo has invited company CEOs in the United States to boost cooperation with ASEAN countries, particularly Indonesia.

President Jokowi, President Biden, and ASEAN Leaders on a group photo prior to the dinner, at the White House, Washington D.C., Thursday (05/12)

Selasa, 17 Mei 2022 - 12:28 WIB

President Jokowi, ASEAN Leaders Attend Dinner Hosted by US President

President Joko “Jokowi” Widodo Thursday (05/12) attended a dinner with the leaders of ASEAN countries hosted by President of the United States Joe Biden at the White House, Washington D.C.