This post is part of our 2023 cybersecurity predictions series.
As we had into 2023, we heard from Moshe Zioni, VP of Security Research at Apiiro, a cloud-native security company, on how organizations can mitigate their software supply chain security risk and what organizations should be prioritizing as they form their cyber strategy for the new year.
It has been proven, in practice, that the federal government can and will be affecting virtually every sector. The US government’s standards and advocation, especially, have been a backbone of world-wide advancements when it comes to adhering and embracing new technologies and security standards in particular.
Those efforts are translated, derived upon and pushed by many organizations which rely on NIST, CISA and other organizations’ papers and actions almost by definition, and it will probably follow the same pattern there.
The major thing that can hold off those 2nd-degree effects is the flexibility and agility of suppliers and consumers to be able to adhere to those standards once mandated, one should be conscious about the operational, functional implications of such requirements on a designated industry of choice before firing up a new standard/regulation.
Vulnerability data - the production, delivery and consumption of vulnerability data from both suppliers and consumers could be seen as a spin-off discussion but it also touches the core of why SBOM is not just magic, it needs structure, definition and usability in-mind when producing.
More than just dependencies - the current discussion of SBOM is producing mostly data that is related to the package contents, but the extended BOM question is - what else needs to be produced? Examples such as exposed APIs, SaaS connections, tech stacks are also very important, to some industries more than others, and should not be overlooked in the discussion.
Lastly - SBOM completeness and security is an evergoing fight that is given more thought now then before but still needs robust answers to complex questions around it. How do one protect SBOM data from unwanted eyes? How can one ensure completeness of the data produced? How far does self-attestation go? The need for provenance and maintenance of such by an unbiased body, and more.
What should risk-focused organizations prioritize in 2023?
Supply chain affects everyone in the industry and shows its issues more prominently from the last known attacks and threat in the past couple of years now, that means that organizations will have to rethink their supplier risk management, open source stance, how to assess and analyze a given package/dependency for usage internally either by systems, developers, testers etc.
How will supply chain attacks mature?
We see adversaries are more daring than before, looking for loopholes in public registries, package management systems and side-channels as well. We will continue to see new tools at the hand of adversaries mature and new, more sophisticated, ways to abuse the trust between consumers and suppliers.
Thoughts on the cybersecurity market for 2023
The needed focus of a broad context and risk analysis for open source, internal repositories and beyond - constitute a solid foundation on topics such as software supply chain management, inventory visibility and commit code review, which will deepen the investigative work and efficient work done by application security professionals, practitioners and developers alike.