3rd Party Risk Management , Fraud Management & Cybercrime , Fraud Risk Management

How to Manage Software Supply Chain Risks

Trey Herr of Atlantic Council Says Stronger Industry Standards Are Needed
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council

The threat posed by software supply chain attacks is growing, but organizations can take steps to minimize the risks.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You'll Meet Your Adversaries

Trey Herr, co-author of a study of more than 100 supply chain compromises that was released last year by the Atlantic Council, says attackers, particularly state-affiliated ones, look to compromise roots of trust in the software supply chain.

“We think about software supply chain attacks as being unusual or exotic,” says Herr, director of the Atlantic Council’s Cyber Statecraft Initiative. “Really, there’s been a tremendous number of them over the last decade.”

Herr will present an update on the research on Feb. 2 at Usenix’s Enigma conference, a virtual event.

Herr says what makes the SolarWinds attack stand out is the lateral movement and patience of the attackers (see: SolarWinds Describes Attackers' 'Malicious Code Injection').

Organizations should take steps, including closer vetting of vendor processes, to gain better confidence in their supply chains, Herr says. Meanwhile, vendors need to adhere to baseline security practices. Ultimately, stronger industry standards for how code is authenticated and verified are needed, he says.

In this video interview, Herr discusses:

  • Trends emerging from more than 100 supply chain attacks;
  • What risk-reduction measures organizations can take;
  • How the public and private sectors can improve supply chain security.

Herr is director of the Cyber Statecraft Initiative at the Atlantic Council, which studies how technology is used for strategic objectives. He previously was a senior security strategist at Microsoft covering challenges in cloud computing, supply chain security, data governance and vulnerability disclosure.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Executive Editor for Security and Technology for Information Security Media Group. He's the creator of "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware, the greatest crime wave the internet has ever seen.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.