The cyber threat landscape is growing more complex and challenging to contend with, exacerbated by advancements in artificial intelligence and increasingly sophisticated cyber criminals. The volume and severity of attacks are increasing in tandem; Keeper Security’s 2024 Insight Report revealed that 92% of IT security leaders have seen an increase in cyber attacks year-over-year.
Among the most pervasive threats to enterprises today are software supply chain attacks. The 2024 Verizon Data Breach Investigations Report revealed a 68% year-over-year increase in breaches influenced by software supply chain interconnections.
Critical to addressing these threats, risks and challenges is a zero-trust approach to prevent data breaches and cyber attacks, and mitigate potential damage, as well as a Software Bill of Materials (SBOM) to protect the software supply chain.
Criticality of zero trust
While the term “zero trust” has been used for over a decade, it’s finally being taken seriously: a recent Gartner survey found 63% of organizations worldwide have fully or partially implemented a zero-trust strategy. The phrase “zero trust” is often considered a buzzword by the enterprise, so here is a break down of the term: Zero trust is a modern security framework that eliminates implicit trust. It requires all human users and devices to be continuously and explicitly validated, and strictly limits access to network systems and data. Instead of focusing on where users are logging in from, zero trust concentrates on who they are.
By adopting a zero-trust framework within their infrastructure, IT and security leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage. A zero trust security model with least-privileged access and strong data back-ups will limit the blast radius if a cyber attack occurs.
Additionally, strong identity and access management on the front end will help prevent the most common cyber attacks that can lead to a disastrous data breach. This includes privileged access management solutions that enable secrets, connections and password management.
Attacks on the software supply chain
Weak or stolen passwords, credentials and secrets have been a leading cause of data breaches for years. But in 2020, software supply chain attacks became top of mind with the historic SUNBURST attack that affected government agencies and hundreds of Fortune 500 companies.
This sophisticated, devastating cyber attack caused government leaders and industry experts to scrutinize how software is developed and secured. In 2021, President Biden issued an executive order requiring that software producers who supply the federal government provide a Software Bill of Materials (SBOM) for each product. SBOMs have long been advocated by organizations and agencies including the Cybersecurity and Infrastructure Security Agency (CISA), as they are critical for software security and software supply chain risk management.
The need for SBOMs was further proven in November 2021 when cloud security researchers discovered Log4Shell, a remote code execution vulnerability in certain versions of the Apache Log4j 2 Java library, and deemed the most critical vulnerability of the last decade. Log4Shell allowed hackers to run code on affected systems, granting them control of apps and devices. Log4J is pervasive in the software supply chain, so finding and fixing every vulnerable instance is taking years.
Demystifying software bill of materials (SBOM)
So what exactly is an SBOM? An SBOM is a comprehensive and detailed inventory of all the components that make up a piece of software, including version numbers and licensing information, providing transparency into the software supply chain. Think of it like an ingredient list you would find on the side of a cereal box. An SBOM is invaluable in identifying and mitigating potential vulnerabilities, offering more robust security and streamlined compliance with evolving regulations — improving overall software supply chain management.
Governments and corporations are working to secure their software supply chains, and are requiring SBOMs as part of their procurement process. NIST 800-53 Rev 5 now has a new control family specifically targeting supplier risk. SBOMs are a big part of the new control requirements for FedRAMP under NIST 800-53 Rev 5.
Any organization following NIST 800-53 Rev 5 must have SBOMs, however all companies can benefit from them. SBOMs can not only reveal what third-party software libraries or modules are used in a particular software package, but can also provide insight into multiple layers of software dependencies within the third-party libraries, and information on potential vulnerabilities within those dependencies.
Securing the software supply chain
With the detailed inventory of software components and versions, including third-party libraries and dependencies, an organization with an SBOM can quickly identify and mitigate potential vulnerabilities. The ability to promptly address new and emerging threats, through timely patching and updates, minimizes the window of exposure an organization might otherwise experience.
Providing visibility into the origins of software components, SBOMs help mitigate the risk of incorporating malicious or compromised elements — creating a more resilient software supply chain. This information is also valuable to demonstrate compliance with increasingly stringent regulations around security and licensing standards. There’s a common misconception that SBOMs are only relevant to open-source software. If enterprises use any third-party libraries in their software, whether commercial or open source, SBOMs are still relevant.