Supply chains are on everyone's mind right now — from consumer-tech bottlenecks to talks of holiday-season toy shortages. Meanwhile, cyberattacks targeting elements of the supply chain have become increasingly common and impactful — making this area of security a top priority as organizations ensure their digital defense plans are ready for 2022.

Here's the thing, though: Supply chains are enormously complex, and securing all endpoints in your partner ecosystem can be a herculean challenge.

On Thursday, October 21, 2 members of Rapid7's Research team — Erick Galinkin, Principal Artificial Intelligence Researcher, and Bob Rudis, Chief Security Data Scientist — sat down to get the perspectives of 2 industry panelists: Loren Morgan, VP of Global IT Operations, Infrastructure and Delivery at Owens & Minor; and Dan Walsh, CISO at VillageMD. They discussed the dynamics of supply chain security, how they think about vendor risk, and what they're doing to tackle these challenges at their organizations.

Head to our 2022 Planning series page for more – full replay available soon!

What is supply chain risk, anyway?

The conversation kicked off with a foundational question: What do we mean when we talk about supply chain risk? The answer here is particularly important, given how sprawling and multivariate modern-day supply chains have become.

Dan defined the concept as "the risk inherent in the way we deliver business results." For example, you might be working with a solutions provider whose software relies on open-source libraries, which could introduce vulnerabilities. The impact can be particularly high when a vendor your organization relies on in a strategic, business-critical capacity experiences a security issue.

Bob noted that the nature of supply chain risk hasn't fundamentally changed in the past decade-plus — what's different today is the scale of the problem. That includes not only the size of supply chains themselves but also the magnitude of the risks, as attacks increase in frequency and scope.

For Loren, acknowledging and acting on these growing risks means asking a central question: How are our partners investing in their own defenses? And further, how can we get visibility into the actions our vendors are taking to counteract their vulnerabilities?

Dropping the SBOM

Erick pointed out that one of the more practical ways of achieving visibility with technology vendors is the software bill of materials (SBOM). An SBOM is a list of all the libraries, dependencies, third-party modules, and other components that a provider brings into their software product.

"It's like an ingredient list on a package of food," Dan said. Because of the level of detail it provides, an SBOM can offer much greater insight into vulnerabilities than a compliance certification like SOC2 would.

"Ultimately, from our vendors, what we're looking for is trust," Dan noted. The visibility an SBOM provides can go a long way toward achieving that trust.

But not all vendors might jump at the request to produce an SBOM. And how do you know the SBOM is fully accurate and complete? The cloud complicates the picture considerably, too.

"A SaaSBOM is a lot trickier," Erick noted. With fully cloud-based applications, verifying what's in an SBOM becomes a much tougher task. And cloud misconfigurations have become an increasingly prominent source of vulnerabilities — especially as today's end users are leveraging an array of easy-to-use SaaS tools and browser extensions, multiplying the potential points of risk.

Dan suggested that in the future, the industry might move to an ABOM — a highly memorable shorthand for "application bill of materials" — which would include all source code, infrastructure, and other key components that make an application tick. This would help provide a deeper level of visibility and trust when evaluating the risks inherent in the ever-growing lists of applications that enterprises rely on in today's cloud-first technology ecosystem.

Taking action

So, what key concepts and practices should you implement as you put together a 2022 cybersecurity plan that factors in supply chain risk? Here are a few suggestions our panel discussed.​

  • Invest in talent: "Find somebody who's been there, done that," Loren urged. Having experienced people on board who can stand up a third-party risk assessment program and handle everything it entails — from interviewing vendors to reviewing SBOMs and other artifacts — can help make this complex task more manageable.
  • Tailor scrutiny by vendor: Not all third parties carry the same level of risk, primarily because of the type of data they access. Accordingly, your vetting process should reflect the vendor you're evaluating and the specific level of risk associated with them. This will save time and energy when evaluating partners who don't introduce as much risk and ensure the higher-risk vendors get the appropriate level of scrutiny. In Dan's work at VillageMD, for example, private health information (PHI) is the most critical type of data that needs the highest security, so vendors handling PHI need to be more rigorously vetted.
  • Think about your internal supply chain: As Bob pointed out, virtually all organizations today are doing some amount of development — whether they're a full-on software provider or simply building their own website. That means we're all susceptible to introducing the same kinds of vulnerabilities that our vendors might, impacting not just our own security but our customers' as well. For example, what happens if a developer introduces a vulnerable component into your product's source code? Or what if your DevOps team introduced a misconfiguration? Does your security operations team have a clear way to know that? Be sure to put guardrails in place by establishing a foundational software development life cycle (SDLC) process for all areas where you're doing development.
  • Identify your no-go's: Each of our panelists also had a few things they considered make-or-break when it comes to vendor assessments — requests that, if not met, would sink any conversation with a potential partner. For Bob, it was a vendor's ability to supply a penetration test with complete findings. Loren echoed this, and also said he insists that partners share their data handling processes. For Dan, it was the right to audit the vendor and their software annually. Identify what these no-go's are for your organization, and build them into vendor conversations and contracts.

Ultimately, holding your vendors accountable is the most important step you can take in the effort to build a secure supply chain.

"It's incumbent on consumers to hold their vendors' feet to the fire and say, 'How are you doing this?'" Erick commented. Demand real data and clear documentation rather than vague responses. When we do this for our own organizations, we make each other safer by demanding more of vendors and raising the bar for security across the supply chain.

Stay tuned for the next 2 installments in our 2022 Planning webcast series! Next up, we'll be discussing the path to effective cybersecurity maturity and how to factor that journey into your 2022 cybersecurity program. Sign up today!