How to counter insider threats in the software supply chain

Traditional insider threats across the supply chain

The risks associated with insider threats grow as the software supply chain extends to partners, third-party contractors and freelancers. Once data and users move past an organization's development and support teams, they become harder to control. Vetting third parties' security measures is therefore critical, though not always easy.

Many large outsourcing firms have insider threat programs because they work at a scale where such countermeasures are a cost of doing business. Details about the firm's insider threat program and other internal security measures must be part of the client's due diligence and contractual negotiations. Yet even with contractual stipulations in place, it is difficult for clients to verify a vendor's security practices in action.

Vetting smaller firms, individual contractors and freelancers comes with challenges, too. If a company is sourcing contractors through a third-party staffing firm, it can always ask for background investigations, but those will only turn up a crime in the company's or person's past. Organizations should do client reference checks on their suppliers, but these may not turn up much either. Don't hesitate to use back-channel references to verify the quality of a firm.

Preventing insider threats across a software supply chain takes more than partner agreements and employee training, however. One option is the Supply Chain Levels for Software Artifacts, a framework for protecting software supply chain integrity based on Google's Binary Authorization for Borg (BAB) platform. Google uses BAB as an internal deployment-time enforcement check to review software authorization and configurations. Organizations can likewise use this tool to reduce insider risk.

Geopolitical effects on startups and established firms

Events in Ukraine -- a hotbed of innovative engineering talent -- remind us that geopolitical conflicts also affect software supply chain security. Suppose a company's or suppliers' employees and their families are in harm's way. Concern about employees in the affected area is paramount -- it's only human. However, it's also important to implement measures to secure data and intellectual property, such as software code and documentation that might be accessible from the area of conflict.

Organizations should ask partners or vendors about their continuity of operations (COOP) plans for such black swan events. Suppose, for example, an organization relies on GitHub or GitLab for code repositories and collaboration. Processes should be in place to secure accounts of users in affected areas. Vendors and suppliers should also run COOP drills to keep employees and partners up to date on the process.

Open source software protests

Debates abound around open source software (OSS) security -- especially with recent events in Ukraine. If an organization's enterprise software has OSS dependencies, it must be conscious of the people who contribute to those projects. Recently, Pro-Ukrainian sentiments were behind the sabotage of an NPM package, worsening software supply chain security threats.

While OSS facilitates a collaborative community, there are signs of an inflection point between OSS maintainers and for-profit corporations that use OSS as a foundation for critical internal software and software they sell to customers. Organizations should bolster their open source programs, as well as teams that provide governance and support to open source tools. To do so, organizations should, for example, dedicate staff to OSS community outreach and treat OSS onboarding as a software supply chain security best practice.

The 'Great Resignation' hitting suppliers' best developers and engineers

Many third-party suppliers are feeling the effect of the "Great Resignation". Organizations must ensure their suppliers have processes that prevent departing employees from taking source code or documents with them to their next job.

Ensure partners have a documented and auditable offboarding process for their developers and other technical staff. Likewise, they should ask departing employees about trainings, such as secure coding and other security practices they've taught current employees during onboarding. Large outsourcing firms have the resources to govern onboarding and offboarding of programmers and engineers, but smaller vendors -- such as regional professional services firms -- may not have formal processes.

As software supply chain security draws attention from the cybersecurity and investment communities, enterprises must not lose sight of the main rule of security: People are the weakest link. While new technologies will garner market attention, organizations must consider the risk of insider threats and keep people at the center of their software supply chain strategies.