How to Manage Software Supply Chain RisksTrey Herr of Atlantic Council Says Stronger Industry Standards Are Needed
The threat posed by software supply chain attacks is growing, but organizations can take steps to minimize the risks.
Trey Herr, co-author of a study of more than 100 supply chain compromises that was released last year by the Atlantic Council, says attackers, particularly state-affiliated ones, look to compromise roots of trust in the software supply chain.
“We think about software supply chain attacks as being unusual or exotic,” says Herr, director of the Atlantic Council’s Cyber Statecraft Initiative. “Really, there’s been a tremendous number of them over the last decade.”
Herr says what makes the SolarWinds attack stand out is the lateral movement and patience of the attackers (see: SolarWinds Describes Attackers' 'Malicious Code Injection').
Organizations should take steps, including closer vetting of vendor processes, to gain better confidence in their supply chains, Herr says. Meanwhile, vendors need to adhere to baseline security practices. Ultimately, stronger industry standards for how code is authenticated and verified are needed, he says.
In this video interview, Herr discusses:
- Trends emerging from more than 100 supply chain attacks;
- What risk-reduction measures organizations can take;
- How the public and private sectors can improve supply chain security.
Herr is director of the Cyber Statecraft Initiative at the Atlantic Council, which studies how technology is used for strategic objectives. He previously was a senior security strategist at Microsoft covering challenges in cloud computing, supply chain security, data governance and vulnerability disclosure.