Gartner has identified digital supply chain risk as a new security threat and one of its top seven security and risk management trends for 2022. Increasingly, there are products in the digital supply chain that companies rely upon that are the “unsung core components holding up our digital operations,” said Peter Firstbrook, Research Vice President at Gartner. “When an underlying component of a third-party app a company uses has a critical vulnerability, they are not responsible for its maintenance, so there are underlying dependencies that are out of their control,” Firstbrook said, referencing the SolarWinds breach and Log4j attack. That can lead to ‘cascading failure’.
According to Firstbrook, attacks on the digital supply chain can yield a high return on investment for cybercriminals. As more vulnerabilities spread through the supply chain, more threats are expected to emerge. In fact, Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021.
Tim Mackey, Principal Security Strategist at the Synopsys Cybersecurity Research Centre, said: “Gartner’s top security risk management trends of Attack Surface Expansion and Digital Supply Chains reflect the reality that we operate in a distributed software world; one where business risk is a function of the risks present in software, independently of who created it or who operates it. Mitigating such risks requires a more holistic approach to application security, one that isn’t solved with a single product. For example, patch management programs are challenged when dealing with open source software and software supply chain risks as most programs assume that software is commercial in nature and that a vendor will issue updates. When software is freely downloadable from the Internet and might have hundreds of origin points, it’s highly unlikely updates are proactively sent to users as the software creator likely doesn’t know who is using their software. This example also highlights that the risks managed by IT and DevOps teams represent an increased attack surface, one that extends far beyond the custom code created by internal developers. One approach to addressing these problems is to identify where the threats to successful operation of software exist. A starting point would then be to perform a series of threat models against existing patch management and software development pipelines. From there, a complete inventory of software assets and their associated components should be created and maintained. At that point, a vendor risk management review on each supplier, be they internal, commercial, service provider or open source, can be performed. It is only at this point that a fair assessment of the risks in specific digital supply chains can be addressed.”
Click below to share this article
