The Complex Landscape of Software Supply Chain Security: Beyond Open Source

In an era where software underpins nearly every aspect of business operations, the security of software supply chains has become a paramount concern. While the narrative often centers around open source code, the reality is that most software supply chains are a complex amalgamation of open source, closed-source, and Software-as-a-Service (SaaS) applications. This article delves into the intricacies of securing these diverse components, emphasizing why a singular focus on open source is insufficient and how organizations can adopt a more holistic approach to software supply chain security.

The Three Categories of Software Supply Chains

To understand the challenges of securing software supply chains, it’s essential to categorize the types of software involved:

1. Open Source Software: This includes libraries, modules, and other code that developers integrate into their applications. Open source software is often celebrated for its transparency and community-driven development, making it easier to identify and remediate vulnerabilities.

2. Closed-Source Software: These are proprietary products from external vendors that organizations deploy and manage within their infrastructure. The closed nature of this software can obscure potential vulnerabilities, making it difficult for organizations to assess their security posture.

3. SaaS Applications: These applications are developed, hosted, and managed by external vendors. While they offer convenience and scalability, they also introduce unique security challenges, particularly regarding data management and compliance.

According to IDC, a significant 66.7% of businesses consider open source critical or important, while approximately one-third rely on SaaS applications for core functions. This blend of software types necessitates a comprehensive approach to security.

The Awkward Role of Closed-Source Code in Supply Chain Security

Despite the prevalence of closed-source software in many organizations, security tools and strategies have predominantly focused on open source. This oversight can be attributed to several factors:

• Software Composition Analysis (SCA): SCA tools are designed to scan applications for open source components and flag known vulnerabilities. However, these tools struggle with closed-source code, as the proprietary nature of such software often keeps vulnerabilities hidden from public view.

• Software Bill of Materials (SBOM): SBOMs have emerged as a best practice for tracking third-party software components. However, they primarily cater to open source software, leaving closed-source components inadequately documented. The assumptions underlying SBOM standards often do not apply to closed-source code, leading to gaps in visibility.

As a result, organizations may inadvertently neglect the security of closed-source components, exposing themselves to significant risks.

Why Closed-Source and SaaS Apps Must Be Tracked

The consequences of neglecting closed-source and SaaS applications can be severe. High-profile incidents, such as the SolarWinds breach, have underscored the vulnerabilities associated with closed-source software. Organizations that fail to track their third-party closed-source applications may remain unaware of potential threats or the status of critical patches.

While closed-source vulnerabilities may be less publicly documented than open source flaws, this does not diminish their potential impact. Vendors may automatically install patches for closed-source applications, but this is not guaranteed. Moreover, the lack of readily available information about closed-source vulnerabilities can make them attractive targets for threat actors.

Integrating Closed Source into Software Supply Chain Security

To effectively secure software supply chains, organizations must adopt strategies that encompass all types of software, including closed-source and SaaS applications. Here are several approaches to consider:

1. Utilize Enterprise Architecture (EA) Tools: EA tools can help organizations document and manage their software assets, serving a similar purpose to SBOMs for open source. By maintaining an up-to-date inventory of closed-source applications, organizations can better assess their security posture.

2. Implement SBOMs for SaaS Applications: While the concept of SBOMs for SaaS is still emerging, organizations should consider tracking these applications to gain visibility into potential vulnerabilities and dependencies.

3. Prioritize Third-Party Closed-Source Code Management: IT and cybersecurity leaders must emphasize the importance of managing closed-source software within the broader context of supply chain security. This requires a cultural shift within organizations to recognize that securing closed-source components is just as critical as addressing open source vulnerabilities.

4. Continuous Monitoring and Risk Assessment: Organizations should implement continuous monitoring practices to identify and assess risks associated with all software components, including closed-source and SaaS applications. This proactive approach can help organizations stay ahead of potential threats.

Conclusion

As the landscape of software supply chains continues to evolve, organizations must recognize that securing open source alone is not enough. The integration of closed-source and SaaS applications into the security framework is essential for comprehensive risk management. By adopting a holistic approach that encompasses all software types, organizations can better protect themselves against the myriad threats that exist in today’s digital landscape.

For more insights into technology leadership and software supply chain security, consider exploring IDC’s research and advisory services. Understanding the complexities of software supply chains is crucial for organizations aiming to navigate the challenges of modern cybersecurity effectively.

About the Author: Christopher Tozzi is an adjunct research advisor for IDC and a senior lecturer in IT and society at Rensselaer Polytechnic Institute. With a background in technology research and a passion for understanding the societal impacts of technology, Christopher brings a unique perspective to the discussion of software supply chain security.