Managing your supply chain security

Have you considered threat modeling to support security efforts within your supply chain management?

Supply chains are at risk of security breaches

Following an increase in attacks within supply chains, new measures and advice have arisen to support businesses, such as The National Cyber Security Centre (NCSC), published new guidance in October 2022 to help organizations effectively assess and gain confidence in the cyber security of their supply chains. Due to several high-profile supply chain attacks, President Biden issued a cybersecurity executive order (EO) detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software.

These are just two examples of more recent activities, but let's not forget the 2018 Software Bill Of Materials (SBOM) as one of the key elements toward the security of the supply chain in software development. Here we explore what else organizations can implement to ensure maximum security within complex supply chains.

Threat Modeling your supply chain

Consistent threat modeling is a vital activity in securing supply chains. Supply chains are always in a state of flux and evolution, interfacing with a myriad of third-party services, and to a malicious party, all these interconnected systems produce a tempting and vulnerable attack surface.

Depending on your supply chain, it is typical to take multiple threat representations: perhaps a holistic picture, and a quantity of intrinsic threat models focusing on key elements and components.

This could be considering redundancy, whether time, hardware, or information, APIs, SSH connections, commercial-of-the-shelf software, and all the other appendages/mechanisms that comprise your supply chain, (in regards to producing a threat model), will help you identify what can go wrong, what is the risk, and what’s the necessary remediation or mitigation.