Untangling the web of supply chain security with Tony Turner

Decades ago, Tony Turner, CEO of Opswright and author of Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, faced an SQL Slammer worm. Having been one of the 75,000 infected users, he called upon his skills and risk management experience, to ensure his team will be ready for when the next attack comes.

During his 25-year career in supply chain security and product security, he became an expert in engineering, security, and product design and he even served as the VP of R&D at Fortress. Today, he is the chapter leader at OWASP and a thought leader on the topic of supply chain security.

Understanding the product security supply chain

Everything we do in product security is part of somebody else’s supply chain. Manufacturers’ ability to secure products is directly influenced by the security measures of the entire supply chain. “I think most organizations know that they need to do something about supply chain security but they don’t necessarily know what that means,” Tony Turner said on the Left to Our Own Devices podcast.

The security of the product supply chain and third-party vendors has evolved beyond facility assessment, intellectual property tracing, and data security work. SBOMs, combined with firmware and binary analysis, have contributed to the increased awareness in recent years. But it’s not enough.
Many manufacturers still don’t understand that the risk has been expanded to every person who touched the source code along the way.

Today’s supply chain cybersecurity

When everything is interconnected, every decision to patch or not patch a vulnerability affects the product’s security. “We all have upstream and downstream relationships with other entities,” said Tony. Just as OEMs are relying on vendors to conduct operations with proper cybersecurity hygiene, vendors have to turn to their supply chain and ensure that they’re conducting best practices as well. This goes beyond deployment to responding to new threats in their supply chain in a timely manner.

The gap between small vendors and big manufacturers

Supply chains go through small vendors before they end up in products built by big manufacturers. However, the small vendor’s knowledge and ability to provide adequate security measures are limited. “They can be 10-man shops and they don’t know the first thing about cybersecurity,” said Tony. You could say SBOMs are the answer but it’s not exactly the case.

Tony continued, “Looking at the software side of supply chain management, it’s much bigger than just SBOMs alone. When you speak to some of the smaller vendors, they don’t even know what an SBOM is– and they’re not required by law yet,” said Tony “At the same time, we’ve heard from some very big manufacturers that they’re already requiring that any component they receive comes with an SBOM.” Even with the growing awareness of SBOMs, software supply chains are still far from holistic and effective implementation is needed.

The biggest challenge in the collaboration between asset owners and manufacturers

On top of the need for knowledge and security tools companies also need to invest time and money they may not have available– and someone has to pay. “Asset owners need to understand that there’s a financial reality to putting additional requirements on the manufacturer. They wind up becoming a premium feature in the products that consumers are buying.”

Expanding on this point, Tony shares the advice he gives his suppliers. “What I’m asking my suppliers to do is to take the time to create a program to get the process in place. Get the people hired and execute these things that they’re being asked to do while understanding that these costs will be rolled onto the end consumer. When product security becomes standard practice, the cost will be built into the cost models.” This could only happen when manufacturers put security in the same priority as functionality.

Prioritizing security in the product lifecycle

Cybersecurity is rarely a concern until the validation portion of the product development process. Product developing engineers aren’t prioritizing cyber security at the earliest stages of development. Until product security requirements don’t rise in status alongside functional and operational requirements, the struggle for a secure connected world will continue to slip out of grasp.

“As you’re validating the design, you might do a threat model or some other kind of activity but it’s very rare that in the front end of the requirements gathering of that product, that security has equal footing with the functional and operational requirements,” says Tony.

Gaining customer trust by unburdening companies

As manufacturers and consumers of connected products, we look for some kind of insurance that proves the product we intend to use is safe. Yet, not all vendors and manufacturers have the knowledge, financial ability, or human resources to continuously go over every component in their software and hardware.

As SBOMs are becoming the standard framework for product security, managing SBOMs burdens many organizations. Tony brought up an interesting solution that may unburden organizations and invoke trust in clients that are interested in working together. “If I don’t trust my vendor, then I have a third party that I can work with and they can answer these questions for me and I can trust them. Third-party solution providers can take that burden.” In the future, it’s likely that these third parties will be providing trust by granting certificates to players in the security ecosystem. It’s safe to assume they will heavily rely on SBOMs.