APAC CIOOutlook

Advertise

with us

  • Technologies
      • Artificial Intelligence
      • Big Data
      • Blockchain
      • Cloud
      • Digital Transformation
      • Internet of Things
      • Low Code No Code
      • MarTech
      • Mobile Application
      • Security
      • Software Testing
      • Wireless
  • Industries
      • E-Commerce
      • Education
      • Logistics
      • Retail
      • Supply Chain
      • Travel and Hospitality
  • Platforms
      • Microsoft
      • Salesforce
      • SAP
  • Solutions
      • Business Intelligence
      • Cognitive
      • Contact Center
      • CRM
      • Cyber Security
      • Data Center
      • Gamification
      • Procurement
      • Smart City
      • Workflow
  • Home
  • CXO Insights
  • CIO Views
  • Vendors
  • News
  • Conferences
  • Whitepapers
  • Newsletter
  • Awards
Apac
  • Artificial Intelligence

    Big Data

    Blockchain

    Cloud

    Digital Transformation

    Internet of Things

    Low Code No Code

    MarTech

    Mobile Application

    Security

    Software Testing

    Wireless

  • E-Commerce

    Education

    Logistics

    Retail

    Supply Chain

    Travel and Hospitality

  • Microsoft

    Salesforce

    SAP

  • Business Intelligence

    Cognitive

    Contact Center

    CRM

    Cyber Security

    Data Center

    Gamification

    Procurement

    Smart City

    Workflow

Menu
    • Mobile Application
    • Cyber Security
    • Hotel Management
    • Workflow
    • E-Commerce
    • Business Intelligence
    • MORE
    #

    Apac CIOOutlook Weekly Brief

    ×

    Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Apac CIOOutlook

    Subscribe

    loading

    THANK YOU FOR SUBSCRIBING

    • Home
    • Mobile Application
    Editor's Pick (1 - 4 of 8)
    left
    Balancing Safety, Compliance, and Strategic Growth

    Digno Bernardino, Head of Risk Management, Philippines AirAsia

    Navigating Challenges and Opportunities

    Guillermo Quesada, Group Operations Manager, Hero Experiences Group

    DORA: A New Era for Cyber Security

    Laura Quaroni, Head Of Privacy & Security, Banca Ifis

    Your Application is Mostly Written by Strangers

    Edwin Kwan, Head Of Application And Software Security, Tyro Payments

    Open API

    Ariunbold Buyan-Ulzii, Chief Information Officer and Saruulbat Gantugs, Manager at IT Architect, Khan Bank

    Insights from the Travel and Hospitality Domain: A Journey of Innovation and Guest-Centricity

    Achdan Harris, Senior Director, Guest Facing Applications at Langham Hospitality Group

    Technological Trends Driving Operational Efficiency

    Tim Leung, Group Cto, Tricor Group

    Application Modernization and Security in a Hybrid Environment

    Amar Narain, Chief Information Technology and Vice President of Information Technology, Pizza Pizza [Tse: Pza]

    right

    5 Steps for Securing Your Software Supply Chain

    Edwin Kwan, Head Of Cyber Security Advisory And Application Security, Tyro Payments

    Tweet
    content-image

    Edwin Kwan, Head Of Cyber Security Advisory And Application Security, Tyro Payments

    Most modern applications are assembled from open-source components with developers typically writing less than 15% of the code for their application. As the demand for open-source software grows, there’s also an increase in the number of available open source software. However not all open-source components are created equally or maintained properly. As a result, we are seeing an increase in software supply chain attacks. According to the 8th annual software supply chain report, the average growth rate of software supply chain attacks is 742% per year. There’s also been an increase in protestware with developers intentionally sabotaging their own open-source components such as the case of the colors and fakers components which resulted in a denial of service attack. And we’ve also seen developers themselves being the target of these attacks, where malicious programs are installed on their machines when they download and install open-source components such as python libraries.

    Below are five important steps that you can do to secure your organisation’s software supply chain:

    1. Maintain a Software Bill of Materials (SBOM)

    The first, is to have a software bill of materials (SBOM). This is a list of all the open-source components, including their versions, that makes up your applications. Having an SBOM allows you to quickly understand your organisation’s exposure when vulnerabilities are discovered. There should also be an owner for each application to allow for easy determination of who’s responsible for maintaining the code.

    2. Perform Due Diligence - Scan for Vulnerabilities

    The next step is to perform due diligence on all open-source components that your organisation uses. We already do that for 28 commercial software & suppliers and the same needs to be done for open-source components. We need to make sure that the components we use are free from any known defects (vulnerabilities). There are Software Composition Analysis (SCA) tools that can scan your applications for vulnerabilities.

    As more effect is required to remediate vulnerabilities that are already in production, these SCA tools are often deployed in the build pipeline to ensure that there are no known vulnerabilities before the application is released. However, given the trend where developer machines are sometimes the target of software supply chain attacks, these scans should also be done before the components are downloaded onto the developer’s machine. Regular scanning of production applications is also required to detect any newly discovered vulnerabilities. Other due diligence that should be done includes only using components for reputable sources and staying clear of unpopular components or components which have a single developer. Popular components get more public scrutiny with any vulnerabilities more likely to be detected and using components developed by a single person represents a key person risk.

    3. Have a Centralised Artifact Repository - Use Only Approved Software

    Your organisation should only be using approval components that have already been scanned for malware and vulnerabilities and having a centralised artifact repository helps with that. Having a centralised artifact repository provides the assurance that you are downloading the component from its official source. This helps addresses typo-squatting and dependency confusion attacks, which are popular software supply chain attack approaches. It is recommended to use an SCA tool with rules or policies in-place to automatically determine when a component is approved for use. Some organisations also use a centralised artifact repository to reduce the number of open source suppliers. Rather than having 15 different components providing the same functionality, they would limit to only using the highest quality component.

    4. Always Use Latest - Don’t Use Stale Components

    Our Dependency On Open-Source Component Is Going To Increase Over Time And Implementing These Five Steps Will Help Secure Your Organisation’s Software Supply Chain

    When using an open-source component, you should always use the latest version. This would mean you have the latest bug fixes and security fixes. You should also be proactive and patch the components in your production application regularly, whenever newer versions become available. Patch management is crucial in managing your software supply chain and it is one that can very quickly get out of control. If you let your components get stale, it can be quite hard to remediate should a security issue be discovered as there might be many breaking changes in the newer fixed version that will also need to be addressed. Successful approaches that I’ve seen for this includes having a policy where teams should update all stale components when making new changes, having dedicated time set aside each month and automating the upgrades using tools like Dependabot by GitHub.

    5. Run a Web Application Firewall (WAF)

    There are times when fixed versions of open-source components are not yet available after a security vulnerability has been disclosed, or when a proof of concept or exploit kit is released. There are also times where your development teams require additional time to remediate. Having a Web Application Firewall (WAF) allows you to secure the organisation while the fix is being applied.

    Modern applications are mostly made up of open-source components. Unlike the code that your developers write, you have little visibility on the secure development practices of open-source developers. Our dependency on open-source component is going to increase over time and implementing these five steps will help secure your organisation’s software supply chain.

    tag

    Firewall

    Scrutiny

    Weekly Brief

    loading
    Top 10 Mobile Application Security Solutions Providers in APAC - 2024
    ON THE DECK

    Mobile Application 2024

    I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

    Read Also

    Why Software Delivery Centres Fail In Insurance

    Why Software Delivery Centres Fail In Insurance

    David Bejar, VP Head of IT Software Engineering, Allianz Indonesia
    Building Smarter Content Systems for Scalable Growth

    Building Smarter Content Systems for Scalable Growth

    Judy Tay, Head of Content, First Page Digital
    The Thoughtful Innovation behind Every Loaf

    The Thoughtful Innovation behind Every Loaf

    Keng Ng, Chief Technology Officer, Bakers Delight
    Lessons for Ambitious Professionals in a Digital World

    Lessons for Ambitious Professionals in a Digital World

    Andreas Kurz, Global Head of Digital Transformation, Alfagomma Group
    Designing For Regeneration, Not Just Resilience

    Designing For Regeneration, Not Just Resilience

    Gregory Kovacs, Design Director, Benoy
    Listening Beyond Hearing

    Listening Beyond Hearing

    Salvatore Incardona, Head of IT, Amplifon Australia
    Modernizing Lending Through Innovative, Secure and Scalable Technology

    Modernizing Lending Through Innovative, Secure and Scalable Technology

    Steven Meek, Chief Information Officer, Pepper Money
    Advancing the Chemical Industry through Digital Transformation

    Advancing the Chemical Industry through Digital Transformation

    Jan Mandrup Olesen, Global Head of Digital Business, Indorama Ventures
    Loading...
    Copyright © 2025 APAC CIOOutlook. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy and Anti Spam Policy 

    Home |  CXO Insights |   Whitepapers |   Subscribe |   Conferences |   Sitemaps |   About us |   Advertise with us |   Editorial Policy |   Feedback Policy |  

    follow on linkedinfollow on twitter follow on rss
    This content is copyright protected

    However, if you would like to share the information in this article, you may use the link below:

    https://mobile-application.apacciooutlook.com/cxoinsights/5-steps-for-securing-your-software-supply-chain-nwid-10257.html