Comments by: Tim Mackey, Principal Security Strategist, at Synopsys Cybersecurity Research Centre (CyRC)
Traditionally, cybersecurity incidents have involved direct attacks between malicious actors and their victims. The Threat Landscape for Supply Chain Attacks report highlights an important shift in cybercriminals’ tactics – indirectly targeting the their victims through the software of their trusted third-party suppliers and service providers.
With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised.
Considering the importance of application security practices in most software companies, this lack of awareness points to a gap in process. A gap where threat models likely need revising to account for how software supply chains work and one where an objective review of security initiatives such as the taxonomy maintained by the BSIMM community.