How to Manage Supply Chain RisksChet Wisniewski of Sophos Offers Insights on Mitigation
Agile environments benefit from development platforms and open-source software, but that also raises the risks of attacks seeded in those supply chains, says Chet Wisniewski of Sophos, who describes steps that organizations can take to mitigate the risks.
Almost all organizations are using technologies such as containers and frameworks such as Node.js or those for Python, he says. That allows organizations to use pre-built software templates and add their own custom code, speeding development. But that can come at a price.
"The problem is more and more of that stuff is getting poisoned with backdoors," Wisniewski says in an interview with Information Security Media Group. "So it really requires careful software review, but unfortunately that kind of goes against the whole purpose of originally doing it [agile development]."
Wisniewski says the most important step organizations can take to secure their supply chains is to ensure mutifactor authentication is used internally as well as by their suppliers. Credential theft is one of the most common ways that organizations are comprised, he says. Also, organizations should work supply-chain reviews into their cybersecurity plans, he recommends.
In this interview (see audio link below photo), Wisniewski discusses:
- Why supply chain risk has increased in recent years;
- How to evaluate the risk a vendor may bring to your environment;
- What are the most important steps to take to manage supply chain risk.
Wisniewski is principal research scientist at Sophos, where he has worked for the last 16 years. His role includes research, public speaking and writing on computer security trends and threats.