DevSecOps
3 tips to enhance your supply chain security
February 21, 2022
Supply chain security has never been more critical as digital transformation continues its acceleration across industries. With more companies investing in software solutions to work in both remote and hybrid settings, there are more opportunities for supply chain attacks to have greater impact on both your business and your customers. Here are a few tips to enhance your supply chain security and mitigate supply chain risks.
1 – Focus on secure development
“The difficulty with supply chain and supply chain security is it’s only as valuable as the weakest link,” Jonathan Meadows, Head of Cloud Cybersecurity at Citigroup, said during episode 110 of The Secure Developer Podcast. It’s important for security professionals to view both development security and supply chain security in tandem. However, the “weakest link” can on occasion be found in the software development process. Focusing on secure software development should be the top priority before turning your attention to other links in the chain.
2 – Ingesting software — verify and validate
Before integrating other software in the supply chain, you should know what’s entering your environment — whether from a vendor or open source. Obtaining a Software Bill of Materials, or SBOM, from the vendor or manufacturer confirms that the software you have is actually the software the source says they provide. From there, it’s important to check for vulnerabilities within the software. This helps ensure those vulnerabilities do not make their way into other portions of the supply chain or — depending on where you are in the supply chain —to the customer.
3 – Get involved in the industry
Meadows notes the importance of viewing supply chain security at an industry level instead of solely at the enterprise level. This means looking beyond your own supply chain and getting involved in industry organizations and communities in which security pros can learn from each other, further promoting supply chain resilience.
For example, the Cloud Native Computing Foundation (CNCF), has available multiple programs, newsletters and events. Also, the Open Source Security Foundation (OSSF), provides working groups for security collaboration, town halls for industry discussions and training programs to enhance professional skills.
To hear more of Jonathan Meadows’ expertise, listen to the full podcast discussion with Snyk President and CEO Guy Podjarny: “EP 110: Supply Chain Security.”
About Simon Maple
Simon Maple is the Field CTO at Snyk, a Java Champion since 2014, JavaOne Rockstar speaker in 2014 and 2017, Duke’s Choice award winner, Virtual JUG founder and organiser, and London Java Community co-leader. He is an experienced speaker, having presented at JavaOne, DevoxxBE, UK, & FR, DevSecCon, SnykCon, JavaZone, Jfokus, JavaLand, JMaghreb and many more including many JUG tours. His passion is around user groups and communities. When not traveling, Simon enjoys spending quality time with his family, cooking and eating great food.
