Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. We hosted this Session featuring a group of CXOs and other IT executives. The group met remotely to discuss the rise of next-gen software supply chain attacks, led by the CTO and SVP of a public digital media and content marketing company. This Session was sponsored by Sonatype.
Securing software every step of the way has become increasingly important. Many digital transformation efforts involve onboarding third-party solution providers. However, not many companies have formal supply chain security policies in place. This has led to an exponential rise in software supply chain attacks. What steps must be taken to mitigate this? How do you securely onboard new software without stifling innovation and compromising speed?
A CTO of a broadcasting company regarded the expansion of their digital distribution channels as the primary trigger to consider software supply chain security. As they started delivering content through connected TV and OTT applications, they noticed many new security-related issues. In the last few months, especially due to COVID, they have accelerated their efforts to “be everywhere”- including social media platforms. They have also recently started allowing user-generated content. During all these digital transformation endeavors, they have had to keep cybersecurity top of mind.
An executive said that the rising number of significant data breaches forces companies to reconsider their security models. They still want to deliver products fast but now realize that security is also fundamentally important.
Today’s systems are more complex than ever before. There are many interconnected components, and typically you don’t own all of them. However, it is still your responsibility to ensure that all components, endpoints, APIs, servers, and databases are secured. Based on what you are trying to protect, you will need a different set of rules, a different set of policies, and a different set of actions.
Empowering developers to pick the right components and open-source solutions is very important. Security measures shouldn’t stifle innovation. Develop a framework that allows developers to choose open-source software that passes a policy. Gauge things like age, popularity, exposure, and if all the boxes are ticked, let the developers use the software right away.
A speaker mentioned that the technology office of their organization owns the supply chain security program. However, there is a lot of collaboration with the legal and internal audit teams. Another participant said that no one person should own security; it should be a collective, collaborative effort.
One executive expressed the importance of determining “who owns what” and “who gets to do what.” As an administrator of a publishing platform, it’s their duty to ensure that malicious stuff never goes live. However, some package management systems that opted for speed over security have relinquished publishing rights. This gives anyone the ability to release infected packages at any time. There should always be a delicate balance between speed and security.