Software supply chains are under more scrutiny for security issues.
The US government mandated software bills of materials for federal software projects so that security teams can understand any potential risks from software components.
The Cybersecurity and Infrastructure Security Agency, the European Union Commission, the UK's National Cyber Security Centre, and Japan are collaborating on how to make SBOMs more useful and more valuable.
Actually implementing SBOMs is still down the list of priorities for many chief information security officers.
Alongside this, you have the issue of who is responsible for maintaining the software involved.
Software Supply Chain Security and Assigning Responsibility In the world of software, it is challenging to track what is being used, as workloads can be created and stopped from minute to minute based on demand.
With so much IT to look after, so many changes taking place, and so much software to track, the data can overwhelm teams.
Establishing responsibility for application security and management has to focus on practical responsibilities.
Software is often built by outsourced providers.
Too often, security issues become the proverbial hot potato, passed on as quickly as possible to the next person.
Assigning developers hundreds or thousands of software issues to fix does not magically make those fixes happen; in fact, it can lead to more problems as teams don't know what to concentrate on.
To solve this, we need to implement better practices around software supply chain security, starting with SBOMs and asset management and followed with proper prioritization discussions between security and developer teams.
On the security side, this will involve automated patching for low-risk issues.
For developers, it will mean implementing security by design practices.
IT security can provide tools that integrate into developers' workflows early, so that problems can be fixed sooner.
Security can also help by flagging other ways to remove problems.
One CISO I worked with had demoralized teams in both security and software development.
More than a million software issues and security vulnerabilities existed across endpoints, applications, and infrastructure.
What quickly became apparent was that there was no one directly responsible for updates in software image libraries.
Getting more insight helps you to prioritize across all your systems, including first-party software, so you can drive more collaboration, real change, and real success for your teams.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Dec 2023 15:00:17 +0000