October 4, 2022

Last Updated on January 19, 2024

Are supply chain risk management (SCRM) and third-party risk management (TPRM) two terms that mean the same thing? Or is there an important distinction between them?

To discuss software supply chain risk and strategies for managing it, a recent episode of The Virtual CISO Podcast features Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

How deep is your due diligence?

If your org has a third-party risk management program you might think you’ve got supply chain risk covered. But both Willy and John emphasize the importance of digging into key vendors’ own risks and how these could manifest against your business. And what about the impacts of critical vendors’ risks on each other?

“It’s definitely important to note that supply chain risk assessment is really talking about supply chain,” underscores Willy. “It’s not just talking about my suppliers, it’s also talking about the suppliers to my suppliers, to my suppliers. So third, fourth, fifth level.”

Taking a deeper look is especially critical with software supply chain risk, because so much code calls third-party scripts, which in turn call other scripts, and so on. It’s key to trace back the code’s execution path, as well as reviewing the code providers. Who are they and where are they?

The threat is real

The threat of malicious or noncompliant code embedded in (or called by) our production software is obviously real.

Willy cites a recent example from Europe around GDPR compliance and Google Fonts. Google makes “free” fonts available for use on websites. If your website uses API calls to display those fonts, those API calls pass site visitors’ IP addresses to Google “under the table.”

IP addresses are considered personally identifiable information (PII), and collecting that without authorization and without a legitimate reason for doing so violates GDPR. In this instance the defendant, an unidentified website, received a token fine. Continued improper use of Google Fonts could land them—or any of the millions of other sites calling the Google Fonts API—a much bigger fine and/or a prison term.

“That is for me a wonderful example of how risk assessment was not done, and nobody really understood what it means to use something free from Google,” Willy cautions. “And that could happen with any and all software providers.”

Understanding relationships among suppliers

Another distinction between SCRM and TPRM is the nontraditional risks to be considered. Like, are both your outsourced call centers in the Philippines? That could create unacceptable risk from catastrophic weather or seismic events.

Dealing with these risks at the intersection of multiple suppliers takes a multidisciplinary approach across risk teams and viewpoints.

“A multidisciplinary [risk assessment] approach is key,” Willy observes. “Because in some cases it might be an availability issue, in some cases it might be a confidentiality issue. It comes down to really understanding the integrated and connected relationships within your suppliers.”

What is your software supplier’s SBOM?

Consider a case common in software supply chains where multiple APIs all call the same AI module. If the AI is down, calling alternative APIs might not help unless you confirmed they call different AI modules.

“What is the software bill of materials (SBOM) of the services we are using?” Willy relates. “There’s a lot of talk about SBOM in the software development world, which is cool. But I also think the same principle should be applied to our service providers when it comes to software as a service.”

“It comes down to the people who are using technology are not necessarily well versed and well educated in understanding how that technology actually works,” recaps Willy. “You and I don’t really need to understand how Siri works. But when it comes to very sophisticated technical applications in a corporate environment, the users should really understand how those things work, and what the implications are of using one technology over the other.”

What’s next?

To catch the whole show on software supply chain risk management with Willy Fabritius, click here.

Is there a way to mitigate unanalyzed supply chain risk? Attack surface management offers one approach: How Attack Surface Management Can Help Reduce Supply Chain Security Risks