In today's interconnected digital landscape, we recognise the intricate interdependencies and complexities that exist within the software supply chain security ecosystem. In recent years, the number of software supply chain security (SSCS) attacks has increased exponentially due to:
- Heavy reliance on open-source code and third-party software components vs internal build code when building a software product,
- Multiple vulnerable points throughout the supply chain lifecycle,
- The ability to target multiple customers by exploiting a vulnerability in a component for one software product makes software supply chain attacks inherently more lucrative,
- Limited visibility on end-to-end software supply chain pipeline,
- Shift in adversaries' attack patterns from ‘1 to 1’ to ‘1 to many’.
As a result, SSCS has emerged as the new frontier in Third-Party Risk Management. Further, regulatory scrutiny on SSCS has been steadily rising, and most organisations are not adequately mature enough to manage software supply chain risk and regulatory expectations effectively. We aim to provide a service that helps organisations align their SSCS programme with industry-leading practices and meet regulatory requirements such as EO-140281, DHS Risk Management Act 20212, FDA3, NCSC – Supply Chain Security Guidance4, ENSIA5, DORA6, CRA7, SEBI8, ACSC Cyber Supply Chain Risk Management Guidelines9, MAS10.
Software Supplier Chain Security Use Cases
Note: Multiple use cases may apply to a given organisation. The use cases enlisted are not mutually exclusive and can overlap depending on the organisation’s role.
Software consumers are entities or individuals who use software that is built or published by others.
Current solutions and limitations:
How can we help?
KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline
- SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BSIMM, EO14028, DHS, DORA, CRA, etc
- Design and/or uplift
- SSCS framework including policy, procedure, standards, and RACI matrix
- Software critical assessment questionnaire (SCAQ)
- SSCS risk assessment control inventory
- Perform criticality and residual risk assessment based on a defined control questionnaire
- Ongoing monitoring
- Periodic criticality assessment
- Periodic SSCS risk assessment
- Assess SBOM for risks, compliance violations, and compliance with the SSCS policy framework
- Monitor and maintain SBOM for all in-scope software products for each release (major/minor/patches) through the Lineaje platform
- Notify vendors to fix identified vulnerabilities and share patches
- Remediation management
- Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains
- Manage coordination with third parties to ensure implementation of adequate control(s) to close the identified gap(s)
Software builders are organisations or individuals who build in-house software for their own use.
Current solutions and limitations:
How can we help?
KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline.
- SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BS IMM, EO14028, DHS, DORA, CRA, etc
- Design and/or uplift
- SSCS framework including policy, procedure, standards, and RACI matrix
- Open-source management policy
- SSCS risk assessment control inventory
- Perform SSCS risk assessment including SBOM based on defined control inventory
- Generate and maintain SBOM (Using Lineaje Platform)
- Generate SBOM from source code (as-sourced), artifactory (as-built), and containers (as-deployed) and all dependencies including open-source chain and third-party
- Update SBOM automatically for each release (major/minor/patches)
- Assess and monitor open-source code/system
- For well-maintained code: Analyse, prioritise and coordinate with the developer to fix the vulnerable components
- For unmaintained: Analyse, prioritise, and drive developer fixes the vulnerable code/components
- Assess and monitor proprietary code: Analyse, prioritise, and coordinate with the developer to fix the vulnerable code/components
- Remediation management
- Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains
- Manage coordination with the developer to ensure the implementation of adequate control(s) to close the identified gap(s)
Software publishers are organisations or individuals who develop and distribute software to consumers or other businesses.
Current solutions and limitations:
How can we help?
KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline.
- SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BSIMM, EO14028, DHS, DORA, CRA, etc
- Design and/or uplift
- SSCS framework including policy, procedure, standards, and RACI matrix
- Open-source management policy
- SSCS risk assessment control inventory
- Perform SSCS risk assessment based on defined control inventory
- Software product self-attestation
- Generate, maintain, and share SBOM (Using Lineaje Platform)
- Generate SBOM from source code (as-sourced), artifactory (as-built), and containers (as-deployed) and all dependencies including open-source chain and third-party
- Assess and publish compliant and ATTESTED SBOMs for each product and SKU
- Update SBOM automatically for each release (major/minor/patches)
- Sharing SBOMs with Customers, distributors and ISVs as needed- privately and securely
- Generate and publish VEX, CSAF, and other deployment mitigations to enable secure deployment of applications by customers
- Remediation management
- Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains
- Manage coordination with the developer to ensure the implementation of adequate control(s) to close the identified gap(s)
Thought Leadership
Our Partnership
Key Contacts
To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.
Abbreviation Glossary
[1] EO-14028- Executive Order 14028
[2] DHS Risk Management Act 2021- Department of Homeland Security Risk Management
[3] FDA- Food and Drug Administration
[4] NCSC – Supply Chain Security Guidance- National Cyber Security Centre Supply Chain Security Guidance
[5] ENSIA- European Network and Information Security Agency
[6] DORA- Digital Operational Resilience Act
[7] CRA- Cyber Resilience Act
[8] SEBI- Securities and Exchange Board of India
[9] ACSC Cyber Supply Chain Risk Management Guidelines- Australian Cyber Security Centre Cyber Supply Chain Risk Management
[10] MAS- Monetary Authority of Singapore
[11] SBOM- Software Bill of Materials
[12] VEX- Vulnerability Exploitability eXchange
[13] CSAF- Common Security Advisory Framework