The Supply Chain Secure solution offered by Data Theorem provides continuous analysis of threats to software supply chains. Purpose: to avoid compromises that threaten to reach companies through rebound.
Because attacks against companies like Solarwinds and Kaseya and open source offerings like Log4j have been successful and highly publicized, software supply chains have become prime targets for cyberattackers. By delivering the “first attack surface management (ASM) product,” as Data Theorem puts it, the vendor who specializes in software application security wants to solve the problem. Called Supply Chain Secure, the SaaS solution helps fight threats that can weigh heavily on the entire application stack, from APIs, cloud services, SDKs, to open-source software.
According to Data Theorem, it is able to combat threats through continuous runtime analysis and dynamic inventory detection, which goes beyond traditional static analysis of source code and usage. a software nomenclature (Software Bill of Materials, SBOM). “An Attack Surface Management (ASM) market is starting to emerge because there isn’t enough way to deal with software vendors, vendor control and third-party source code,” explains Doug Dooley, COO of Data Theorem. “This was demonstrated by the issues behind the Solarwinds, Log4j and Spring4Shell attacks,” he added. “We are considering an element that, until now, has not been integrated into the management of the attack surface”, Doug Dooley further stated.
Continuous detection of third-party applications and monitoring of vendors
Currently, to combat these threats, most software supply chain security solutions rely on vendor management or software composition analysis. However, this approach suffers from a drawback, as it often lacks access to mobile, web, cloud and business software, and it also lacks access to third-party APIs. Supply Chain Secure aims to fill this gap by offering seamless detection of third-party applications and dynamic tracking to third-party vendors. The product can automatically categorize assets under known vendors, let customers add new vendors, categorize individual assets under any vendor, and alert when policy violations increase and high rate of integration of third-party vendors into core applications.
The solution also improves the accuracy of SBOM software bills of materials used to identify third-party components in an application. Therefore, it retrieves software BOMs provided by vendors and compares them to an SBOM developed by Supply Chain Secure based on runtime analysis of an application. “Usually, the vendor’s SBOM isn’t accurate or has been at some point, so there’s a gap between the vendor’s documentation and what’s actually in production,” Dooley said. “Clients are always excited at how different their documentation is from what an internet attacker might see,” he added.
Long -term disruption
“Everyone uses third-party software to develop their business software. Therefore, supply chain disruptions will continue, and we need better technology to deal with it. It will never be possible to end this ”, explained the director of operations of Data Theorem. “The question is how long before the problem is noticed and how do you alleviate it?” According to him, no supplier is currently able to offer a perfect solution. “This is the first time this year that the industry has really tried to address this issue in the supply chain. It will take a lot of vendors and a lot of smart clients to solve this problem in the coming years, ”he added.“ Clients are stuck in the throat: They’re fighting for solutions because they know the Log4j flaw is actually very damaging, but unfortunately this situation will continue until we make progress in automation detecting these issues in the software supply chain.