Following an increase in attacks within supply chains, new measures and advice have arisen to support businesses, such as The National Cyber Security Centre (NCSC) who published new guidance in October 2022 to help organizations effectively assess and gain confidence in the cyber security of their supply chains. Due to several high-profile supply chain attacks, President Biden issued a cybersecurity executive order (EO) detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software. These are just two examples of more recent activities, but let's not forget the 2018 Software Bill Of Materials (SBOM) as one of the key elements toward the security of the supply chain in software development. Here we explore what else organizations can implement to ensure maximum security within complex supply chains.
Threat Modeling your Supply Chain
Consistent threat modeling is a vital activity in securing supply chains. Supply chains are always in a state of flux and evolution, interfacing with a myriad of third-party services, and to a malicious party, all these interconnected systems produces a tempting and vulnerable attack surface. Depending on your supply chain, it is typical to take multiple threat representations: perhaps a holistic picture, and a quantity of intrinsic threat models focusing on key elements and components. This could be considering redundancy, whether time, hardware, or information, APIs, SSH connections, commercial-of-the-shelf software, and all the other appendages/mechanisms that comprise your supply chain, (in regards to producing a threat model), will help you identify what can go wrong, what is the risk, and what’s the necessary remediation or mitigation.
So, your supply chain is secure... Are you sure?
Register for our interactive discussion about implementing and managing security across your supply chain, a topic that has dominated the news and moved up on the business security agenda. Join experts in Cybersecurity and Risk Architecture to learn some key activities your organization can use.
Join Threat Modeling Connect, a global threat modeling community
If you would like additional advice from others experiencing the same challenges, head over to Threat Modeling Connect, a global community where threat modeling practitioners collaborate, share, and grow. Here you will find some conversations have already begun regarding supply chain security.