ICIT Certified Content: This content has been reviewed by ICIT and deemed valuable content for the community.  We encourage you to study it and socialize it with your networks. The whitepaper explores how generating software bills of materials can improve security throughout the software development lifecycle. It was coauthored by Jim Routh, ICIT Fellow, former CISO and CSO at MassMutual, Aetna and CVSHealth, and current cybersecurity advisor and board member.

The Apache Log4j vulnerability exposed a massive software supply chain weakness in thousands of software applications. The prevalent use of open source components in software is creating significant risk. Whether you are developing software to support internal organizational use, delivering software for your customers to consume, or deploying third party software across your enterprise to provide business functionality, risk from open source components in software must be managed. If open source risk continues to go unmanaged, your organization could face brand and reputational damage, financial loss and regulatory penalties from increasing cyberattacks targeting vulnerable and popular software components.

For developers, the days of working in the dark by trusting external code being risk free are over. The same goes for software vendors delivering products to customers and organizations deploying software to support their businesses. Vulnerable open source components in software, as a cybersecurity blind spot historically, has to be addressed and fixed. The need to “trust, but verify” software at all stages of its lifecycle is required to reduce open source risk throughout the software supply chain.

This paper will shed light on an emerging critical software supply chain weakness and how generating software bills of materials can be the foundation to improving security at multiple stages of the software lifecycle.

Read the Full Paper

Jim Routh is a former CISO/CSO for six industry leading organizations including American Express, DTCC, PMG, Aetna, CVS and MassMutual. He is the former Board Chair for the Health Information Sharing & Analysis Center (H-ISAC) and the former board member for the Financial Services Information Sharing & Analysis Center (FS-ISAC). He has presented to Boards and Board Committees (Technology & Governance, Audit Committees) for many public and private companies as the CISO or CSO, providing cyber security updates and education designed for board members over the past twenty years. Jim is considered a digital and cyber security industry expert and thought leader. He serves on the boards for Supply Wisdom, GrammaTech, UnBiased Security and the Global Resilience Federation. Jim is currently an advisor for Wiz, Devo, Gurucul, Data Theorem, Cleer Security, Picnic, Badge Security, Saviynt, ThreatDetect and Virsec. He is a faculty member at the NY Tandon School of Engineering where he teaches cybersecurity. He serves in an advisory capacity and investor for four cyber specific venture funds including: SynVentures, CyberStarts, Security Leadership Capital and Rain Capital.