Gartner发布降低软件供应链安全风险指南资源-CSDN文库

需积分: 5 165 浏览量 2023-11-28 19:00:38 上传评论收藏 308KB PDF 举报

资源推荐

资源详情

资源评论

Gartner, Inc. | G00762170

Page 1 of 20

Mitigate Enterprise Software Supply Chain Security

Risks

Published 31 October 2023 - ID G00762170 - 27 min read

By Analyst(s): Dale Gardner

Initiatives: Security of Applications and Data; Build and Optimize Cybersecurity Programs;

Demonstrate Value and Collaborate With Business Partners

Software supply chain attacks have seen triple-digit increases, but

few organizations have taken steps to evaluate the risks of these

complex attacks. This research provides three practices security

and risk management leaders can use to detect and prevent

attacks, and protect their organizations.

Overview

Key Findings

Recommendations

Security and risk management (SRM) leaders have gained expertise in addressing supply

chain issues in internal application development. They can use this knowledge by helping

their organizations in following three practices:

Despite a dramatic rise in software supply chain attacks, security assessments are

not performed as a part of vendor risk management or procurement activities. This

leaves organizations vulnerable to attacks.

■

Security teams struggle to respond to vulnerabilities, especially where that

vulnerability is included within software dependencies. Because software

components have not been traditionally disclosed, their content is often opaque to

teams trying to ascertain whether they are affected. This requires extraordinary work

to identify affected software and implement risk mitigations.

■

Formal testing and evaluation of commercial software for potential vulnerabilities or

malicious code are rarely performed by customers — even for systems supporting

high-value or sensitive processes. The lack of formal testing creates a path for

lateral movement, and facilitates the introduction of malicious code that steals data

and intellectual property.

■

This research note is restricted to the personal use of chenlizhen@qianxin.com.

Gartner, Inc. | G00762170

Page 2 of 20

Strategic Planning Assumption

By 2026, at least 60% of organizations procuring mission-critical software solutions will

mandate software bill of materials (SBOM) disclosures in their license and support

agreements, up from less than 5% in 2022.

Introduction

Almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply

chain attack in the 12-month period ending in April 2023.

Gartner and other research

shows software supply chain attacks are a global challenge that continues to grow

dramatically.

1,2

Despite this, proactive efforts to identify, assess and mitigate software

supply chain risks are relatively rare. Only 7% of respondents to Sonatype’s ninth annual

State of the Software Supply Chain report have made efforts to review security risks in

their supply chains.

Ensuring the integrity of software supply chains has also become a regulatory and

compliance requirement. Considerable attention has been paid to the United States

Executive Order 14028, issued in May 2021.

However, the focus on that order has

masked other important actions. The United States Food and Drug Administration has

issued regulations imposing supply chain requirements on medical device

manufacturers.

The United States Security and Exchange Commission issued a range of

rules focused on cybersecurity incidents, which are expected to further improve supply

chain security.

Add software supply chain risks to vendor risk management, and educating

colleagues in software acquisition roles about the risks of these attacks. This

strategy aims to disqualify or reduce reliance on vendors with inadequate

application security practices.

■

Demand transparency into application security practices of vendors, and the

composition and contents of the software from those vendors. Doing so facilitates

vendor risk assessments and simpliﬁes the response to and mitigation of

vulnerabilities.

■

Implement dedicated testing and security evaluations for software supporting high-

value or sensitive systems. The scope of testing should span both traditional checks

for software vulnerabilities and the identiﬁcation of malicious code.

■

This research note is restricted to the personal use of chenlizhen@qianxin.com.

Gartner, Inc. | G00762170

Page 3 of 20

From a global perspective, agencies of the United Nations have established cybersecurity

requirements, including software security for connected vehicles.

Authorities in several

countries have issued or proposed regulations to enhance software supply chain security

(see Note 1).

The lack of transparency and trust within the global software supply chain has emerged

as a critical issue for organizations of all kinds. Whether driven by the desire to prevent

attacks or regulatory mandates, — or both — security and risk management (SRM) leaders

must act proactively and aggressively to build resiliency and respond to growing threats.

This research provides guidance for SRM leaders about practices that will help protect

their organizations from software supply chain attacks in commercial software. It

includes adding software supply chain considerations to the discussion of vendor risk

management, demanding transparency into the contents of commercial software and

using software bills of materials (SBOMs) as a foundation for the proactive evaluation of

software products.

Analysis

Add Software Supply Chain Security to Vendor Risk Management

Typical external third-party risk management (TPRM) assessments — such as Security

Scorecard, Bitsight and Black Kite — support an overall framework for vendor risk

management. However, these assessments don’t generally provide an in-depth review of a

vendor’s application or software supply chain security measures. Thus, they’re unable to

support an informed assessment of the security or risks of those processes. The

information TPRM vendors provide can deliver high-level insights that may indicate

underlying issues with a vendor’s supply chain security. However, they do not provide

adequate information to form a complete opinion of the risk that a vendor might pose.

Figure 1 provides an overview of the vendor risk management life cycle and factors

typically considered.

A superior approach to managing risk is to directly request and evaluate attestations — or

other evidence — of appropriate secure software development practices. Vendors

increasingly expect such questions during the procurement process. A Checkmarx survey

revealed that 42% of responding vendors measure application security and release the

reports publicly, while 44% indicated they provide such reports on request.

Such

practices should be routine.

This research note is restricted to the personal use of chenlizhen@qianxin.com.

剩余19页未读，继续阅读

评论收藏

内容反馈

lurenjia404

粉丝: 2042
资源: 123

Gartner发布降低软件供应链安全风险指南

依赖关系跟踪：依赖关系跟踪是一个智能的组件分析平台，使组织可以识别并降低软件供应链中的风险

Gartner发布安全运营中心（SOC）模型指南

Gartner发布风险和安全管理领域的生成式人工智能创新指南

Gartner发布安全领导者数据安全指南

Gartner发布2022年主要安全和风险管理趋势.docx

Gartner发布《2024年美国联邦政府CIO三大工作重点》：管理AI、软件供应链安全和零信任

Gartner发布漏洞评估市场指南

Gartner发布中国零信任网络访问市场指南

Gartner发布2024年网络安全主要趋势

Gartner发布数据安全治理指南：采取四个关键步骤，加快数据安全治理的采用

Gartner发布2023年中国安全技术成熟度曲线

Gartner发布零信任网络访问ZTNA市场指南

Gartner发布2023年工作负载和网络安全技术成熟度曲线

2021-2022年Gartner供应链全球25.pdf

零信任网络访问市场指南 Gartner 2020版

Gartner发布XDR扩展检测和响应市场指南

Gartner发布中国CIO技术投资与数据安全指南

Gartner发布2023年应用安全技术成熟度曲线

Gartner发布中国采用GhatGPT等生成式AI应用的安全问答

Gartner IT安全和风险管理评分（英）.pdf

Gartner发布2023年数据安全技术成熟度曲线

Gartner 2017年网络安全综合报告

libarclite运行.a文件

YOLOV5口罩检测数据集+代码+模型 2000张标注好的数据+教学视频.zip

（免费）Chrome浏览器插件axure-chrome-extension

VMware workstation 17 pro个人免费版

axure谷歌浏览器插件

免费插件-AI插件-illustrator插件集合-尺寸标注-智能填充-颜色自动处理-自动批处理-Windows安装包.zip

嵌入式入门-ADS-安装包

DB Browser for SQLite 数据库查看工具

最新资源