没有合适的资源?快使用搜索试试~ 我知道了~
Gartner发布降低软件供应链安全风险指南
需积分: 5 0 下载量 165 浏览量
2023-11-28
19:00:38
上传
评论
收藏 308KB PDF 举报
温馨提示
试读
20页
Gartner发布降低软件供应链安全风险指南:保障软件供应链安全的八大关键举措 软件供应链攻击已呈三位数增长,但很少有组织采取措施评估这些复杂攻击的风险。这项研究提供了安全和风险管理领导者可以用来检测和预防攻击并保护其组织的三种实践。 主要发现 尽管软件供应链攻击急剧增加,但安全评估并未作为供应商风险管理或采购活动的一部分进行。这使得组织容易受到攻击。 安全团队很难应对漏洞,尤其是当该漏洞包含在软件依赖项中时。由于软件组件传统上并未公开,因此对于试图确定它们是否受到影响的团队来说,它们的内容通常是不透明的。这需要非凡的工作来识别受影响的软件并实施风险缓解措施。 客户很少对商业软件的潜在漏洞或恶意代码进行正式测试和评估——即使对于支持高价值或敏感流程的系统也是如此。缺乏正式的测试创造了横向移动的途径,并促进了窃取数据和知识产权的恶意代码的引入。
资源推荐
资源详情
资源评论
Gartner, Inc. | G00762170
Page 1 of 20
Mitigate Enterprise Software Supply Chain Security
Risks
Published 31 October 2023 - ID G00762170 - 27 min read
By Analyst(s): Dale Gardner
Initiatives: Security of Applications and Data; Build and Optimize Cybersecurity Programs;
Demonstrate Value and Collaborate With Business Partners
Software supply chain attacks have seen triple-digit increases, but
few organizations have taken steps to evaluate the risks of these
complex attacks. This research provides three practices security
and risk management leaders can use to detect and prevent
attacks, and protect their organizations.
Overview
Key Findings
Recommendations
Security and risk management (SRM) leaders have gained expertise in addressing supply
chain issues in internal application development. They can use this knowledge by helping
their organizations in following three practices:
Despite a dramatic rise in software supply chain attacks, security assessments are
not performed as a part of vendor risk management or procurement activities. This
leaves organizations vulnerable to attacks.
■
Security teams struggle to respond to vulnerabilities, especially where that
vulnerability is included within software dependencies. Because software
components have not been traditionally disclosed, their content is often opaque to
teams trying to ascertain whether they are affected. This requires extraordinary work
to identify affected software and implement risk mitigations.
■
Formal testing and evaluation of commercial software for potential vulnerabilities or
malicious code are rarely performed by customers — even for systems supporting
high-value or sensitive processes. The lack of formal testing creates a path for
lateral movement, and facilitates the introduction of malicious code that steals data
and intellectual property.
■
This research note is restricted to the personal use of chenlizhen@qianxin.com.
Gartner, Inc. | G00762170
Page 2 of 20
Strategic Planning Assumption
By 2026, at least 60% of organizations procuring mission-critical software solutions will
mandate software bill of materials (SBOM) disclosures in their license and support
agreements, up from less than 5% in 2022.
Introduction
Almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply
chain attack in the 12-month period ending in April 2023.
1
Gartner and other research
shows software supply chain attacks are a global challenge that continues to grow
dramatically.
1,2
Despite this, proactive efforts to identify, assess and mitigate software
supply chain risks are relatively rare. Only 7% of respondents to Sonatype’s ninth annual
State of the Software Supply Chain report have made efforts to review security risks in
their supply chains.
2
Ensuring the integrity of software supply chains has also become a regulatory and
compliance requirement. Considerable attention has been paid to the United States
Executive Order 14028, issued in May 2021.
3
However, the focus on that order has
masked other important actions. The United States Food and Drug Administration has
issued regulations imposing supply chain requirements on medical device
manufacturers.
4
The United States Security and Exchange Commission issued a range of
rules focused on cybersecurity incidents, which are expected to further improve supply
chain security.
5
Add software supply chain risks to vendor risk management, and educating
colleagues in software acquisition roles about the risks of these attacks. This
strategy aims to disqualify or reduce reliance on vendors with inadequate
application security practices.
■
Demand transparency into application security practices of vendors, and the
composition and contents of the software from those vendors. Doing so facilitates
vendor risk assessments and simplifies the response to and mitigation of
vulnerabilities.
■
Implement dedicated testing and security evaluations for software supporting high-
value or sensitive systems. The scope of testing should span both traditional checks
for software vulnerabilities and the identification of malicious code.
■
This research note is restricted to the personal use of chenlizhen@qianxin.com.
Gartner, Inc. | G00762170
Page 3 of 20
From a global perspective, agencies of the United Nations have established cybersecurity
requirements, including software security for connected vehicles.
6
Authorities in several
countries have issued or proposed regulations to enhance software supply chain security
(see Note 1).
The lack of transparency and trust within the global software supply chain has emerged
as a critical issue for organizations of all kinds. Whether driven by the desire to prevent
attacks or regulatory mandates, — or both — security and risk management (SRM) leaders
must act proactively and aggressively to build resiliency and respond to growing threats.
This research provides guidance for SRM leaders about practices that will help protect
their organizations from software supply chain attacks in commercial software. It
includes adding software supply chain considerations to the discussion of vendor risk
management, demanding transparency into the contents of commercial software and
using software bills of materials (SBOMs) as a foundation for the proactive evaluation of
software products.
Analysis
Add Software Supply Chain Security to Vendor Risk Management
Typical external third-party risk management (TPRM) assessments — such as Security
Scorecard, Bitsight and Black Kite — support an overall framework for vendor risk
management. However, these assessments don’t generally provide an in-depth review of a
vendor’s application or software supply chain security measures. Thus, they’re unable to
support an informed assessment of the security or risks of those processes. The
information TPRM vendors provide can deliver high-level insights that may indicate
underlying issues with a vendor’s supply chain security. However, they do not provide
adequate information to form a complete opinion of the risk that a vendor might pose.
Figure 1 provides an overview of the vendor risk management life cycle and factors
typically considered.
A superior approach to managing risk is to directly request and evaluate attestations — or
other evidence — of appropriate secure software development practices. Vendors
increasingly expect such questions during the procurement process. A Checkmarx survey
revealed that 42% of responding vendors measure application security and release the
reports publicly, while 44% indicated they provide such reports on request.
7
Such
practices should be routine.
This research note is restricted to the personal use of chenlizhen@qianxin.com.
Gartner, Inc. | G00762170
Page 4 of 20
A vendor’s inability or unwillingness to accommodate requests for
attestations or information about secure software development
practices is an adverse signal of risk and should be disqualifying.
Figure 1: Traditional Vendor Risk Management Life Cycle Framework
This research note is restricted to the personal use of chenlizhen@qianxin.com.
剩余19页未读,继续阅读
资源评论
lurenjia404
- 粉丝: 2042
- 资源: 123
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功