Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In this final part, we'll discuss more software supply chain security frameworks and the critical role of secrets detection in them. We'll explore the NIST SSDF, SLSA, and OSC&R frameworks and how they cover the topic of secrets in software supply chain security.

Leading cybersecurity experts Major General John F. Wharton, (US Army ret); Oleg Strizhak, Shell’s Digital Supply Chain Risk Manager; and Sam Curry, the CISO of Zscaler, recently sat down with SecurityScorecard’s President of International Operations Matthew McKenna to discuss how organizations can prepare themselves and their supply chains for zero-day attacks as well as best practices for supply chain risk management.

It’s April, designated National Supply Chain Integrity month by CISA, NCSC, ONCD and Department of Defense, to promote resources, tools, and information to help organizations and agencies secure their supply chains and build resilience. But what role does blockchain play in supply chain and how easy is it to implement? Blockchain technology has numerous potential applications in supply chain due to its ability to provide a secure, transparent, and tamper-proof ledger of transactions.

This week kicks off the 6th annual National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems. This year’s theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience,” is meant to encourage all stakeholders to apply a comprehensive approach in their efforts to strengthen cyber defenses.

On March 29, researchers from two security companies identified an active campaign originating from a modified version of a legitimate, signed application: 3CXDesktopApp, a popular voice and video conferencing software. 3CXDesktopApp is developed by 3CX, a business communications software company. According to its website, 3CX has 600,000 client organizations and 12 million daily users.

Another supply chain attack requires an urgent response from security teams.

Threat groups intending to cause widespread damage often opt to use a supply chain attack, as seen in the massive supply chain compromise that struck VOIP software provider 3CX on March 29. Trustwave SpiderLabs has issued a blog detailing the attack and upcoming steps to mitigate the problem. Striking an organization's supply chain simplifies the attack process by eliminating the need to strike multiple targets by instead focusing on breaching one organization that is key to many others.