ICIT Certified Content: This content has been reviewed by ICIT and deemed valuable content for the community. We encourage you to study it and socialize it with your networks. The whitepaper explores how generating software bills of materials can improve security throughout the software development lifecycle. It was coauthored by Jim Routh, ICIT Fellow, former CISO and CSO at MassMutual, Aetna and CVSHealth, and current cybersecurity advisor and board member.
The Apache Log4j vulnerability exposed a massive software supply chain weakness in thousands of software applications. The prevalent use of open source components in software is creating significant risk. Whether you are developing software to support internal organizational use, delivering software for your customers to consume, or deploying third party software across your enterprise to provide business functionality, risk from open source components in software must be managed. If open source risk continues to go unmanaged, your organization could face brand and reputational damage, financial loss and regulatory penalties from increasing cyberattacks targeting vulnerable and popular software components.
For developers, the days of working in the dark by trusting external code being risk free are over. The same goes for software vendors delivering products to customers and organizations deploying software to support their businesses. Vulnerable open source components in software, as a cybersecurity blind spot historically, has to be addressed and fixed. The need to “trust, but verify” software at all stages of its lifecycle is required to reduce open source risk throughout the software supply chain.
This paper will shed light on an emerging critical software supply chain weakness and how generating software bills of materials can be the foundation to improving security at multiple stages of the software lifecycle.
Read the Full Paper