The software supply chain is an increasingly sensitive part of business. Companies and regulators are now keenly aware of the dangers that can spring from the dependencies that run between software and international commerce.

At the same time, the medium sized software businesses, IT providers and SaaS companies that sit along that supply chain are under incredible pressure to assure their clients and regulators that they will not become the weak link in the chain.

These organisations sit in the middle of the supply chain. On one end, they ingest potential risk through the components and tools they use. On the other, they can pass it on to customers if they can’t ensure mature AppSec practices – thus spreading that supply chain insecurity to the next link in the chain.

Regulators and clients increasingly expect iron clad AppSec assurance and thorough evidence of compliance. The ability to do both will be critical to the success and survival of any software producing SME.

Supply chain risks in basic development practices

Developers rely on third-party components as a fundamental practice. Application development depends on it to the point that 70% to 90% of source code is supposedly made up of open-source components. While this practice is ubiquitous, it comes with significant risks.

The components that populate open-source resources are often outdated, contain vulnerabilities and are sometimes maliciously infiltrated by threat actors. A case can be seen recently in which attackers hijacked the Node Package Manager (NPM) accounts of the widely used Axios library, publishing new “legitimate” versions with a Remote Access Trojan (RAT) to unsuspecting developers. These dependencies on which software development relies – while unmonitored or tested – can quickly become catastrophic supply chain risks.

AI’s double edge

The same is true of AI resources. Many developers are now embedding AI services into their own applications and using LLMs and AI tools to build them.

AI supply chain risks can come through any channel where AI is employed. For example, if a model’s training data is poisoned, that model will pose supply chain risks to the apps that leverage it.

At the same time, many applications use AI plugins which don’t just return data but actually perform actions on a system. If those actions can’t be tightly restricted, they’ll pose a supply chain risk via potential privilege escalation or lateral movement.

Of particular importance are the APIs that connect those models to applications. If misconfigured, or inconsistent authentication is applied through chained services, these can directly expose systems to the open internet or even leak secrets.

AI may yet be transformative for application developments, but these systems are complex and multi-faceted, there are a myriad of ways that they can inadvertently pose supply chain risks or be maliciously exploited. As such, this needs to be a key focus for AppSec and developers when employing this nascent technology.

Assurance is now the cost of business

For software producing SMEs, these kinds of risks are make or break. In fact, if one of these companies forms a true supply chain risk, they might even be locked out of certain markets entirely.

Regulations like the EU’s Digital Operational Resilience Act (DORA), Network Information Systems 2 (NIS2) and the EU AI Act all take aim at the software supply chain. Although most of these only apply to large or systemically critical organisations, they make compliant organisations liable for the security of their third parties, compelling them to engage in regular audits and tests of their resilience. In fact, they even demand that audit and security requirements be added to SLAs and contracts. On top of that, they also suggest that software providers be made to detail the build decisions, dependencies and components used within the software they provide to compliant organisations.

Similar things are happening with insurers, who often require that an insured company’s third parties be regularly vetted in order to justify premiums and preserve insurance policies.

As a result, audits have risen sharply and Software Bills of Materials (SBOMs) are often now demanded as a matter of course.

This means that huge pressure is bearing down on medium-sized software producing organisations, like SaaS companies, software vendors, and IT suppliers. They are now expected to provide clear transparency about their build decisions and provide ironclad AppSec assurance that they won’t push a customer out of compliance.

Supply chain security assurance is effectively becoming a condition of engagement for many enterprises. For many of the midmarket software companies that rely on them, this needs to become a strategic imperative. That means getting a mature and effective AppSec programme in place.

Mitigating risk with runtime context

For these companies, the way to understand whether the applications they’re producing contain – or produce – supply chain vulnerabilities will be through a unified context-aware platform that can show how a deployed application acts in a live environment.

Many AppSec programmes are fragmented and overly reliant on tools and scanners which spit out alerts and findings without context or confirmation that those vulnerabilities are exploitable in runtime. That arrangement ultimately blinds AppSec efforts to the real risk they’re ingesting or spitting out.

A strategic view that can actually illuminate risk can be attained with a unified Application Security Posture Management (ASPM) platform. These go beyond merely hosting vulnerability scanners. They plug into the broader environment to correlate data and incorporate environmental context from across the Software Development lifecycle (SDLC), showing how and what is exploitable in live environments.

It’s only by seeing how an application functions in runtime that true vulnerability can be established and potential supply chain risk can be stamped out. With that capability in hand, software producing mid-market organisations can ensure that they are not only using insecure components or have written insecure applications but that they can release them to clients without worry. Crucially, ASPM platforms also collect the data necessary to demonstrate precisely that assurance to auditors and clients.

Securing the link

Given the deep interconnection that characterises today’s business world, supply chain risks are a real threat. Even well-resourced and well-defended enterprises often discover a fatal achilles heel in an insecure third party. The fact that companies now want to make sure their IT service providers and software suppliers aren’t a source of risk, is an understandable motivation.

Their software suppliers and IT service providers now have to adapt and ensure that their AppSec processes are mature enough to thoroughly assure and clearly demonstrate that they won’t endanger their customers. For them, that assurance is no longer just a matter of best practice or ethical business, but of success and ultimately, survival.