Third-party security risk management is a key focus area for boards and senior management across organisations. In the last one year, there has been a sharp rise in one of the third-party security risk use cases - software supply chain attacks. Regulatory scrutiny, including US presidential executive order 14028 and DHS Software Supply Chain Risk Management Act 2021, is expected to increase in the near future. This report introduces the Software Supply Chain Security (SSCS) topic, key challenges faced by any organisation to SSCS risk including generation and visibility of Software Bill of Materials (SBOM), contractual requirements between software product suppliers and consumers, provenance, and governance aspects. The PoV outlines a security control framework aligned to industry leading practices and incorporates suggestions from NIST to help organisations assess SSCS risks and recommends first steps that software product suppliers and consumers should take towards commencing their SSCS journey.
