Software Supply Chain Do's and Don'tsPhylum's Pete Morgan on How to Best Secure Software Supply Chains
An uptick in supply chain attacks has made organizations mindful of securing their software supply chains. But there's still a long way to go. Organizations have long been using software from open-source ecosystems without fully realizing how much software they actually pull from these libraries, but the potential downstream effects of security flaws could have a major impact, said Pete Morgan, co-founder and CSO at Phylum.
Organizations need to rethink their approach and consider whether the software they are using is appropriate for their security model, Morgan advised. Organizations should also consider the risks associated with using untrusted code on the internet, which is a significant factor in the open-source supply chain.
"When you start peeling back the onion of how the supply chain works, if developers want to use one package, it might have 10 dependencies, which might each have 10 dependencies in the graph of software that comes with it," Morgan said. "What ends up happening is developers hope that there's nothing wrong with it, and this creates a huge amount of technical debt because now you've taken all of that supply chain in and you require it for your software to work. Now you have to manage the security posture of that in the long term. This is where we've seen an explosion in vulnerabilities."
In this video interview with Information Security Media Group at RSA Conference 2023, Morgan also discusses:
- How software supply chain risk has evolved in recent years;
- How adversaries now commonly target software developers;
- The mechanisms that current attacks are using that make them effective against other security tools.
Morgan is a security researcher with a long history in research and consulting organizations. He has over a decade of experience helping to build teams composed of software developers and vulnerability researchers.