Tag Archives: SCRM

Government is No Better at Managing Supply Chain Risk Than we Are

The GAO, formerly known as the General Accounting Office, works for Congress and does studies of how horribly inefficient the government is. In theory, that is so Congress can create new laws to make them do what any sensible organization would do without the laws. Here is one example.

The GAO reviewed the security practice of 23 government agencies with regard to information and communications technology products (what you and I call networks and computers). They identified 7 practices for managing these risks and then they graded the agencies on how they were doing. What they found was:

  • Few implemented the practices
  • None had FULLY implemented the practices
  • 14 had implemented NONE of the practices

Feel better? The only downside is the government gets hacked too – as we have seen very publicly lately.

Here are some of the highlights from the report.

Here is where these agencies get their stuff from. This is not where the sales office is, but rather where the stuff is made.

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

The one practice that was implemented by the most agencies – that only included 6 of 23 agencies. OUCH!

So then they tallied up the results. Here is what they found:


Notice all the white? That is the part where the agencies are not implementing any part of the practice to reduce their risk. The vast majority of the agencies are asleep at the switch.

The most common excuse given was “no one told me how to do this” or something close to that. So, a billion dollar agency, apparently, needs to be treated likely a toddler and told how to do its job. Lets ignore for the moment that NIST issued guidance in 2015 and the OMB told all agencies to implement supply chain risk management (SCRM) in 2016. But no one held their hand. Or, until now, swatted their behind.

Most agencies, when called on the carpet by the GAO said, oh, my bad, I will fix that (yeah, maybe). A few said bug off. Those are the ones who should not be allowed to use computers or networks.

Here are the 7 areas that the GAO asked about. See how many of these you are doing company wide.

  1. establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

2. developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

3. establishing an approach to identify and document agency ICT supply chain(s);

4. establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

6. developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

7. developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

Credit: the Government Accountability Office

Open Source – The New Attack Vector

There are people who think open source is the holy grail of software,  I am not one of them.  Apparently hackers agree with me.  So does the Department of Defense.  They have even coined a term – SCRM or Supply Chain Risk Management.

Bottom line, developers need to understand that there is a war out there and they are the target.  According to Sonatype, the open source tools and governance company, said that the use of vulnerable open source components is up by 120% over the last 12 months,

Sonatype estimates that there are 1.3 million – yes, million – vulnerabilities in open source software components that are not recorded in the National Vulnerability Database managed by NIST.

Sonatype estimates that the average enterprise downloads 170,000 source components a year of which possibly 1 out of 8 of those have some form of vulnerability.  Sometimes those vulnerabilities get exploited in as little as 3 days.

Developers are still downloading vulnerable versions of Apache Struts (as in Equifax breach).  About 80,000 times every month.

Downloads of a vulnerable version of the Spring Framework was around 85,000 a month last year;  this year it is still 72,000 a month.

To add insult to injury, hackers are starting to inject vulnerabilities directly into some open source packages.  Done cleverly, such a logic bomb might never be discovered.

Point is, still a HUGE problem.

So what do you need to do?

#1 – Admit that open source software is far from bug free – even hugely popular packages like Apache Struts.

#2 – Create a SCRM program.  The larger the open source software package is, the more difficult it is to make sure that it is safe.  

#3 – Consider using automated tools to detect vulnerabilities.  Some of the tools are free and others are very expensive, and all of them change the development process.  Some of them are built into the software tools that developers are already using.

#4 – Create a process for finding out about patch availability.  Unfortunately,  except for the most popular open source packages, they are never patched, so you are pretty much on your own.

#5 – Treat open source packages just like code you develop when it comes to code reviews and testing.  The only difference that you can’t influence the development process.

Information for this post came from The Register.