Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

SCITT in the information security context stands for “Supply Chain Integrity, Transparency, and Trust”. It’s a relatively young discipline and the dust is still settling over its scope and definition but the core is very simple: risk vests in the operator of equipment, but it originates at every point in the supply chain.

As cyber attacks and security breaches have increased in recent years, managing digital supply chain risks is becoming more difficult. Cybercriminals exploit vulnerabilities in the ecosystem of less secure suppliers and third-party vendors to gain access to larger institutions. These institutions need to look beyond their own cybersecurity maturity to be successful; cyber risks need to be identified across the ecosystem.

Cyber attacks and data breaches are top of mind for businesses around the world as attacks on vulnerable networks persist. It is more important than ever to ensure cyber security and resilience programs are in place for your business and third-party suppliers. The information and communications technology (ICT) supply chain is a globally-interconnected ecosystem that involves CT software, hardware, and services including suppliers, vendors, and contractors.

The software supply chain indicates the formal workflow of how your software moves through the coding stages done by the developers to the final packages for the end-users. When an attacker breaks in between the process and modifies the source code with malicious ones, it is known as an attack on the software supply chain. Software supply chain attacks are challenging to discover and mitigate if you do not have the proper verification and trail-tracking system, especially for large industries.

The last 24 months has seen a steady stream of media attention relating to attacks on the supply chain. The impact is real, as is the cost. We have watched both big name security like SolarWinds and open source such as log4js serve as targets with devastating effects. Quite often the methods used have anecdotally relied on technical means and to a lesser degree social engineering.

If your organization develops software and applications to deliver products and solutions, then more than likely you’re using third-party open source components to help create them. According to most estimates, open source components now make up over 80 percent of software products.

The software supply chain remains a weak link for an attacker to exploit and gain access to an organization. According to a report in 2021, supply chain attacks increased by 650%, and some of the attacks have received a lot of limelight, such as SUNBURST in 2020 and Dependency Confusion in 2021.