Keeping Up with Trends in Software Supply Chain Management

Securing the software supply chain requires understanding the rapidly-evolving developments in supply chain management. Alex Rybak, senior director of product management at Revenera, details how software suppliers can keep up.

The last few years saw important progress in software supply chain management. Investments in providing structure around open source software (OSS) grew, focusing on priorities like software composition analysis (SCA) tooling, inventory management, and increased reliance on open source program offices (OSPOs). Compliance with software bill of materials (SBOM) mandates improved. 

The OpenChainOpens a new window project and the OpenChain international standard for open source compliance (ISO/IEC 5230) expanded their reach. Software companies focused on taking proactive safeguards against risk (e.g., training developers and staff on secure development practices and the basics of open-source licensing) to keep up with the trend of shifting applications to the cloud, which rely heavily on open-source components. 

Three Key Software Supply Chain Trends

As open-source software continues to be prominent and drive business strategy, software companies must keep pace with trends impacting the entire software supply chain. Here’s a look at three key trends in this space in 2023, along with suggested steps to keep up.  

1. SBOM requirements are becoming clearer and more consistent 

The May 2021 Executive Order on Improving the Nation’s Cybersecurity (EOOpens a new window ), issued in the US by President Biden, kicked things into high gear for SBOMs. We began to see more governmental groups and industries focusing on SBOMs, resulting in more feedback and position papers. Regulations around SBOMs are beginning to crystalize, with a more consistent and common language. The ultimate goal is to facilitate getting business done, regardless of market(s) your company works in. Progress on SBOMs accelerated more recently after the Biden administration released its National Cybersecurity StrategyOpens a new window in March, which promoted the importance of SBOMs for greater supply chain transparency and positioned more of the burden on software suppliers.

Creating an SBOM is now a universally adopted objective. The industry is working through best practices to make it a byproduct of running your automated build process. Today we’re seeing more discussions around SBOM contexts to better align with various stakeholders. A more holistic look into the deployment environment is required to account for not only your applications, but the environment, infrastructure, and services that support your product’s functionality. There’s also more focus on automatically generated and continuously developed SBOMs, with the objective of automating the process of incrementally updating SBOMs as new releases of your products are pushed to customers.

Action items: 

• Take a comprehensive look at what your organization can do to support SBOM initiatives. This may involve the OSPO, security and development teams, business units, and potentially input from others across the organization. 
• Understand your supply chain upstream and downstream. Know your upstream vendors and your downstream partners and customers. As much as possible, try to consolidate on common standards for better interoperability.
• If you or your supply chain partners sell to the U.S. government, pay attention to the major dates for complying with governmental mandates to ensure that customers aren’t blocked from being able to buy your software. At the time of this writing, the next milestones, as outlined by the Office of Management and Budget (OMB)Opens a new window are June 11, 2023, when agencies need to start collecting self-attestation letters (conformance statements) from their software vendors for anything that’s been flagged as critical software, and September 14, 2023, at which point the self-attestation requirement expands from critical software to all new software. 

See More: Why It’s Time for SBOMs

2. The drivers of proof of compliance are shifting from internal to external

Proving compliance with software supply chain management best practices was formerly driven primarily by internal motivations. These included managing what was seen as an appropriate level of risk mitigation, keeping up with competitors, or satisfying specific customers.

Today, the motivation to prove compliance is largely external, based on security mandates to do the work. We’re also seeing a growing number of regulatory mentions of OSS in various industries. Just as human safety and manufacturing regulations exist, specificity about OSS and risk mitigation is growing. This kind of externally-driven compliance has long been the norm in some industries, such as automotive, and is becoming more commonplace now in software.

As a result, compliance programs are being revamped to meet regulations, whether they’re industry-specific or government-mandated. An SCA program is no longer about satisfying your own risk tolerance. It must satisfy the needs of your entire ecosystem, including your partners and downstream customers. It also helps frame what you should expect from and agree upon with your upstream partners for consistency across your entire supply chain.

Action items: 

• Don’t silo compliance initiatives. To deliver on current requirements and best practices, you may need to restructure existing teams or form new cross-functional work groups to address emerging needs across additional stakeholders, along with the R&D teams that operate tools, get and react to data, and handle remediation efforts.
• Review your existing security and legal controls and ensure they’re adequate per recent regulatory updates. Ensure you adhere to a security framework, such as the NIST secure software development framework (SSDF). Make sure you are consistently running your SCA, SAST, DAST, and other automated test processes. Ensure your OSS license policies are reviewed and updated as needed.
• Get off your heels and have the resources—people, processes, and technology—in place to proactively provide SBOMs and associated security reports with each product release rather than being interruption-driven by responding to individual customer asks.

See More: 5 Steps for Proactively Managing Open Source Software

3. The next generation of open source is becoming more prominent

More people are aware of—and using—open source. With this growth, the next generation of OSS is becoming more prominent. This takes shape in a few ways, from new methods of engaging with open source to a new generation of license types (such as ethical source licenses, which support human freedom by benefitting the commons, respecting accessibility, prioritizing safety, and protecting privacy.) 

How people interact with open source is maturing. Users are progressing from simply using open source for its ease and value to contributing to open source or creating their own open source project to a new phase of sponsoring open source projects. 

Additionally, open source is taking on new strategic importance. In a trend that will continue, open source is now part of corporate strategy. It’s part of the development ecosystem at the company and a core tool in the developer toolbox.

Open source is now the rule. Proprietary is the exception.

Action items:

• Take a cross-organizational look at how you’re using open source. Your OSPO can help coordinate or lead these discussions. Where is open source being used? What organizational decisions can help streamline and secure the use of open source?
• Evaluate how you will help contribute to the next generation of open source. Determine your organization’s own trajectory from using to contributing to sponsoring open source. Where do you have long-service products that rely on critical open-source components? What can you do to support those communities to ensure security issues are promptly addressed, that projects are adopted over the long term, and that there is longevity in projects critical to your product’s success?

Finding experienced staff in this space can be tricky. Meanwhile, budgets are tightening and workforce reductions are practical realities. In the midst of these challenges, it remains possible to streamline and secure your organization’s software supply chain management initiatives. The time to move your program ahead and not fall behind is now. 

What excites you about the upcoming trends in the software supply chain? Tell us how you’re preparing for them on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON SOFTWARE SUPPLY CHAIN MANAGEMENT

• How Software Supply Chain Attacks Happen
• Attacks on Software Supply Chains To Increase in Severity
• Trends to Watch in Supply Chain Security
• Take Control of Your Supply Chain With Master Data