- Control 2 – Inventory and Control of Software Assets
- Control 3 – Continuous Vulnerability Management
- Control 18 – Application Software Security
How do organizations proactively protect themselves from being victims of software provided by others? As a start, they use contracts to set supply chain expectations for their suppliers. Sample software procurement language is available for free to assist organizations in developing their contracts and establishing test criteria as part of software SCRM due-diligence. Procurement requirements should contain these specifications, at a minimum:
- Software composition analysis of all compiled code found in the supplier product to identify all third-party open source components via a software bill of materials and to identify all known vulnerabilities listed in Common Vulnerabilities and Exposures (CVE) in publicly available databases, such as the NIST-hosted National Vulnerability Database (NVD);
- Static source code analysis of all available source code found in the supplier product to identify weaknesses listed in Common Weakness Enumeration (CWE);
- Malware analysis of supplier-provided software to determine whether any known malware exists in that software, along with a risk assessment of mitigation controls;
- Validation of security measures described in the product’s design documentation to ensure they are properly implemented and have been used to mitigate the risks associated with use of the component or device.
To facilitate achievement of these requirements, internationally recognized information-sharing standards associated with software security automation are freely available. For example, ITU-T’s Cybersecurity Information Exchange (CYBEX) X.1500 series provides a set of standardized means for identifying, reporting and exchanging cybersecurity information. The ITU-T X.1500 CYBEX ensemble of techniques is a collection of best-of-breed standards from government agencies and industry, and it is an essential enabler to slow the contagion of cyberattacks that target exploitable software. Key for SCRM, ITU-T offers standards for vulnerability/state exchange and event/incident/heuristics exchange. These include standards for exploitable weaknesses (CWEs, ITU-T X.1524), known vulnerabilities (CVEs, ITU-T X.1520) and malware (MAEC, ITU-T X.1546).
- If suppliers do not mitigate exploitable weaknesses or flaws in products (which are difficult for users to mitigate), then those weaknesses represent vectors of future exploitation and zero-day vulnerabilities that put the enterprises that use the products at risk.
- If suppliers do not mitigate known vulnerabilities prior to delivery and utilization, then users cannot have any level of confidence that patching and reconfiguring will be sufficient or timely to mitigate exploitation.
- If suppliers do not check that the software they deliver does not have malware (typically signature-based), then users are at risk of using software with malware pre-installed.