3rd Party Risk Management , Fraud Management & Cybercrime , Fraud Risk Management

How to Manage Software Supply Chain Risks

Trey Herr of Atlantic Council Says Stronger Industry Standards Are Needed
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council

The threat posed by software supply chain attacks is growing, but organizations can take steps to minimize the risks.

See Also: Unintended Risks Downloaded into Development

Trey Herr, co-author of a study of more than 100 supply chain compromises that was released last year by the Atlantic Council, says attackers, particularly state-affiliated ones, look to compromise roots of trust in the software supply chain.

“We think about software supply chain attacks as being unusual or exotic,” says Herr, director of the Atlantic Council’s Cyber Statecraft Initiative. “Really, there’s been a tremendous number of them over the last decade.”

Herr will present an update on the research on Feb. 2 at Usenix’s Enigma conference, a virtual event.

Herr says what makes the SolarWinds attack stand out is the lateral movement and patience of the attackers (see: SolarWinds Describes Attackers' 'Malicious Code Injection').

Organizations should take steps, including closer vetting of vendor processes, to gain better confidence in their supply chains, Herr says. Meanwhile, vendors need to adhere to baseline security practices. Ultimately, stronger industry standards for how code is authenticated and verified are needed, he says.

In this video interview, Herr discusses:

  • Trends emerging from more than 100 supply chain attacks;
  • What risk-reduction measures organizations can take;
  • How the public and private sectors can improve supply chain security.

Herr is director of the Cyber Statecraft Initiative at the Atlantic Council, which studies how technology is used for strategic objectives. He previously was a senior security strategist at Microsoft covering challenges in cloud computing, supply chain security, data governance and vulnerability disclosure.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.