Supply chain risk continues to make headlines, from Solarwinds and Kaseya to last week’s announcement of a patch for the OpenSSL vulnerability, and the latest cybersecurity review from the U.K.’s National Cyber Security Centre highlights the serious threats posed by supply chain attacks.
Last year the Log4J vulnerability perfectly illustrated how properly shared SBOMs would have helped users find and mitigate the “vulnerability of the decade”. And over the last few days we’ve been worried that we’re in the same place with OpenSSL 3.x. Why will this keep on happening? A lot has happened since The White House issued Executive Order 14028.
Speaking to people on our neighbouring booths at the UK nuclear decommissioning event, it was clear to see the entire industry is drowning in paperwork.
SCITT in the information security context stands for “Supply Chain Integrity, Transparency, and Trust”. It’s a relatively young discipline and the dust is still settling over its scope and definition but the core is very simple: risk vests in the operator of equipment, but it originates at every point in the supply chain.