How Data Theorem protects software supply chains

Since successful and highly publicized attacks against companies like Solarwinds and Kaseya and open source offerings like Log4j, software supply chains have become a prime target for cyberattackers. By delivering “the first attack surface management (ASM) product,” as Data Theorem claims, the vendor specializing in software application security wants to solve the problem. Called Supply Chain Secure, the SaaS solution helps fight against threats that can weigh on the entire application stack, from APIs, cloud services, SDKs, to open-source software.

According to Data Theorem, its offering is able to counter threats through continuous runtime analysis and dynamic inventory discovery, which goes beyond traditional static analysis of source code and usage. a software nomenclature (Software Bill of Materials, SBOM). “An Attack Surface Management (ASM) market is beginning to emerge because there is insufficient way to deal with software vendors, vendor control and third-party source code,” explained Doug Dooley, COO of Data Theorem. “This was demonstrated by the issues behind the Solarwinds, Log4j and Spring4Shell attacks,” he added. “We take into account an element that, until now, was not integrated into the management of the attack surface”, further declared Doug Dooley.

Ongoing discovery of third-party applications and tracking of vendors

Currently, to combat threats, most software supply chain security solutions rely on vendor management or software composition analysis. However, this approach suffers from a shortcoming, as it often does not have access to mobile, web, cloud and business software, nor does it have access to third-party APIs. Supply Chain Secure seeks to fill this gap by offering continuous discovery of third-party applications and dynamic tracking of third-party vendors. The product can automatically categorize assets under known vendors, let customers add new vendors, categorize individual assets under any vendor, and alert when policy violations and high rates of third-party vendor integration into key applications increase.

The solution also improves the accuracy of SBOM software bills of materials used to identify third-party components in an application. Therefore, it ingests software BOMs provided by vendors and compares them to an SBOM generated by Supply Chain Secure based on runtime analysis of an application. “Typically, the vendor’s SBOM is inaccurate or has been at some point, so there’s a gap between the vendor documentation and what’s actually in production,” Dooley said. “Clients are always shocked at how different their documentation is from what an attacker might see on the internet,” he added.

Lasting disruptions

“Everyone uses third-party software to build their business software. Therefore, supply chain disruptions will continue, and we need better technology to deal with it. It will never be possible to put an end to it”, explained the director of operations of Data Theorem. “The question is how long does it take to notice the problem and how do you mitigate it?” According to him, no supplier is currently able to offer a perfect solution. “This is the first time this year that the industry has really tried to address this supply chain issue. It will take multiple vendors and multiple smart clients to solve this problem in the years to come,” he added. “Clients are stuck in the throat: They are fighting for solutions because they know that the Log4j flaw was really very damaging, but unfortunately this situation will continue until we make progress in automation discovering these issues in the software supply chain.