In today's interconnected world, supply chains are more vulnerable than ever to disruptions.
From cyberattacks to geopolitical tensions and natural disasters, a multitude of risks can cause significant disruptions in the flow of goods and services. For example, in March 2022, a cyberattack on a key Toyota supplier forced the automaker to shut down 14 plants in Japan, disrupting the production of about 13,000 vehicles. The attack demonstrated how disruptions at a single supplier could cascade through the entire supply chain, causing significant financial and operational impacts.
The Enterprise Software used by the companies are one of the key targets for the cyberattacks. This ever-growing sector of spending for the organizations is constantly being attacked for the purposes of data as well as ransomware.
A recent example of a software supply chain attack was an attack on polyfill.js. This popular open-source software library was used by numerous web-based software applications. After a takeover of the domain, the provider started injecting malicious code into end-user applications on June 25, 2024. As a result, a security firm reported that 100 thousand sites, some containing sensitive applications and data, were compromised.
To navigate the complex software supply chain landscape, organizations need to adopt a proactive stance on disruption preparedness, leveraging tools like Software Bill of Materials (SBOM) and Pipeline Bill of Materials (PBOM) while developing customized policies that address or mitigate specific cyber risks.
Both SBOM and PBOM are critical tools that help organizations maintain visibility and control over their supply chains.
An SBOM is a structured list of all components, libraries, and dependencies involved in a piece of software. Similarly, a PBOM offers a dynamic record of everything the software has undergone, from cloud to code. Together, these documents are essential for understanding and managing supply chain risks in real time, as they enable organizations to prepare and respond to the disruptions.
For example, the SolarWinds attack in 2020, where hackers inserted malicious code into software updates, highlighted the need for comprehensive visibility into software supply chains. If more companies had maintained SBOMs, identifying the malicious component could have been faster and more efficient.
Another example on the importance of SBOMs has to do with the discovery of the Log4j vulnerability in late 2021, which affected millions of devices worldwide. Organizations using Log4j in their software had to act quickly to identify and mitigate the vulnerability. Those with detailed SBOMs were better positioned to respond swiftly, while others faced delays in locating affected systems and were vulnerable to suffer significant disruptions once the vulnerability was disclosed publicly.
The PBOM serves as a critical tool for both software and supply chain management beyond SBOM. Most critically, PBOM adds focus on the software development pipeline, exposing the artifacts and tools that engineers use to compose applications. By maintaining a detailed inventory of all software components, dependencies and material used in software development, PBOM allows organizations to:
Organizations must realize that one-size-fits-all policies are no longer sufficient in today's complex supply chain environment. Customized policies are essential to address unique risks based on industry, geography, regulatory requirements, and the specific needs of the business. Here are some examples of what these policies should include:
Given the increasing complexity and interconnectedness of supply chains, organizations must adopt a multi-layered approach to disruption preparedness. Here are some key strategies: