When the Biden administration released Executive Order 14028, “Improving the Nation's Cybersecurity”, it included guidance to enhance the security of the nation’s software supply chain. As a result, key building blocks are being developed to both strengthen software security and bolster software Supply Chain Risk Management (SCRM) programs across the Federal government.

The software supply chain is under attack, and never has it been more critical to secure it. In doing so, organizations will lessen the risk of a hacker’s ability to gain unauthorized access to development environments and infrastructure. This can include version control systems, artifact registries, open-source repositories, continuous integration pipelines, build servers, or application servers.

During many recent security incidents, we hear a lot of messages about the lack of knowledge of the code dependencies, attacks to the software supply chain, Software Bill of Materials (SBOM), digital signatures, provenance, attestation, etc. The fact is, every time a new vulnerability appears in the landscape, we usually need to spend a lot of time and effort to detect the real impact on the applications and services that are running in our environment.

The software bill of materials (SBOM) is becoming an increasingly important element in the software development lifecycle (SDLC). In fact, given the rising threats based on software vulnerabilities and the growing use of applications to run or support all kinds of business processes, any organization that’s not using SBOMs is putting itself at real risk. An SBOM is an extensive list of all the components contained in a given software product.

The proliferation of third-party software components such as open source software(OSS) has triggered a growing need to keep track of it all. Why? Because when security vulnerabilities inevitably crop up in open source components, it’s pretty important to know whether your company uses that piece of code – or whether it appears in the myriad software dependencies inherent in open source.

Concern is growing over the rise in software supply chain attacks and the need to develop better risk management policies. The software attack surface continues to grow, which in turn, increases risk. Recent high-profile attacks impacting companies including SolarWinds and Kaseya illustrate how vulnerable the software supply chain is today.

Organizations with legacy environments should be focused on reducing technical debt, which can expose businesses to exploits. In a recent article published by Forbes, Rezilion Co-Founder and CEO, Liran Tancman, discusses how restructuring organizations to better integrate tools such as SBOMs (Software Bills of Material) is a necessary step for the future. The use of such assets allows companies to reduce their workload by identifying the what matters in their software and eliminate unnecessary code.

Speaking to people on our neighbouring booths at the UK nuclear decommissioning event, it was clear to see the entire industry is drowning in paperwork.