The Data Theorem Discusses Threats to the Software Supply Chain

The Supply Chain Secure solution offered by Data Theorem offers continuous execution analysis and dynamic inventory of various software bricks.

Since successful and highly publicized attacks against companies like Solarwinds and Kaseya and open source components like Log4j, the software supply chain problem has become important. By delivering “its first attack surface management (ASM) product”, Data Theorem, the publisher that specializes in application security, wants to resolve this point of tension. Called Supply Chain Secure, the SaaS solution helps fight threats that can affect the entire application stack, from APIs, cloud services, SDKs, to open source software.

According to Data Theorem, the service is able to counter threats through continuous runtime scanning and dynamic inventory detection, which goes beyond traditional static analysis of source code and usage. a software nomenclature (Software Bill of Materials, SBOM). “The Attack Surface Management (ASM) market is starting to emerge because there is a lack of a way to deal with vendors and control third-party source code,” said Doug Dooley, Director of Data Theorem operations. “This was demonstrated by the issues behind the Solarwinds, Log4j and Spring4Shell attacks,” he added. “We are considering an element that, until now, has not been integrated into the management of the attack surface”, Doug Dooley further stated.

Continuous discovery of third-party apps and tracking of publishers

Currently, to combat these threats, most software supply chain security solutions rely on vendor management or software composition analysis. This approach suffers from a drawback, however, because it often lacks access to mobile, web, cloud, and business software, nor does it have access to third-party APIs. Supply Chain Secure aims to fill this gap by offering seamless detection of third-party applications and dynamic tracking to third-party vendors. The product can automatically categorize assets under known vendors, let customers add new vendors, categorize individual assets under any vendor, and alert when policy violations increase and high rate of integration of third-party vendors into core applications.

The solution will also improve the accuracy of SBOM software bills of materials used to identify third-party components in an application. This is why it cooks up vendor -provided software BOMs and compares them to an SBOM generated by Supply Chain Secure based on an application runtime analysis. “Usually, the vendor’s SBOM isn’t accurate or has been at some point, so there’s a gap between the vendor’s documentation and what’s actually in production,” Dooley said. “Clients are always excited at how different their documentation is from what an internet attacker might see,” he added.

Long -term disruption

“Everyone uses third-party software to build their business applications,” explains Data Theorem’s director of operations. “As a result, supply chain disruptions will continue, and we need better technology to deal with it. It will never end, ”he continued. “The question is how long before the problem is noticed and how to alleviate it,” he said. “Currently, no vendor can provide the perfect solution,” Dooley acknowledged.

“This is the first time this year that the industry is really trying to provide an answer to this problem in the supply chain. It will take a lot of vendors and a lot of smart clients to solve this problem in the coming years, ”he added.“ Clients are stuck in the throat: They’re fighting for solutions because they know the Log4j flaw is actually very damaging, but unfortunately this situation will continue until we make progress in the automation of detecting these issues in the software supply chain, “he said.

Leave a Comment