How are We Doing with Adopting Tasks to Reduce Software Supply Chain Security Risk?

Software supply chain attacks have grown over 700% per year over the last three years. Software organizations largely did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by well-intentioned developers, such as log4j, to a new generation of software supply chain attacks, where attackers also aggressively implant vulnerabilities directly into dependencies (e.g., the protestware of node-ipc).  Adversaries also find their way into builds and deployments, such as with SolarWinds, to deploy rogue software. Once implanted, these vulnerabilities become an efficient attack vector for adversaries to gain leverage at scale by exploiting the software supply chain.

Section 4 of the May 2021 US Executive Order on Cybersecurity 14028 is on software supply chain security.  Other countries and the European Union are working on similar direction. Organizations have published influential documents prescribing tasks organizations should adopt to reduce software supply chain risk, including NIST Secure Software Development Framework (SSDF) Version 1.1 (800-218), Supply-chain Levels for Software Artifacts (SLSA) v1.0, OpenSSF Secure Supply Chain Consumption Framework (S2C2F), Cloud Native Computing Foundation – Software Supply Chain Best Practices, and others.  This talk will present the Proactive-Secure Software Supply Chain Risk Management (P-SSCRM) model comprising the union of the 72 tasks in nine documents in the Governance, Product, Environment, and Deployment categories.  This talk will present empirical results on the adoption of these tasks by industrial organizations based on interviews with practitioners in software development organizations.