Software Supply Chain Security

The Software Supply Chain Security solution empowers organisations to securely source, build, release, and maintain software products
A man using his smartphone while seated among stacked boxes in a warehouse, focused on his task

In today's interconnected digital landscape, we recognise the intricate interdependencies and complexities that exist within the software supply chain security ecosystem. In recent years, the number of software supply chain security (SSCS) attacks has increased exponentially due to:

  1. Heavy reliance on open-source code and third-party software components vs internal build code when building a software product,
  2. Multiple vulnerable points throughout the supply chain lifecycle,
  3. The ability to target multiple customers by exploiting a vulnerability in a component for one software product makes software supply chain attacks inherently more lucrative,
  4. Limited visibility on end-to-end software supply chain pipeline,
  5. Shift in adversaries' attack patterns from ‘1 to 1’ to ‘1 to many’.

As a result, SSCS has emerged as the new frontier in Third-Party Risk Management. Further, regulatory scrutiny on SSCS has been steadily rising, and most organisations are not adequately mature enough to manage software supply chain risk and regulatory expectations effectively. We aim to provide a service that helps organisations align their SSCS programme with industry-leading practices and meet regulatory requirements such as EO-140281, DHS Risk Management Act 20212, FDA3, NCSC – Supply Chain Security Guidance4, ENSIA5, DORA6, CRA7, SEBI8, ACSC Cyber Supply Chain Risk Management Guidelines9, MAS10.

Software Supplier Chain Security Use Cases

Note: Multiple use cases may apply to a given organisation. The use cases enlisted are not mutually exclusive and can overlap depending on the organisation’s role.

Software consumers are entities or individuals who use software that is built or published by others.


Current solutions and limitations:

Security design flaws, vulnerable, components and protocol

Software / Application architecture review

Security assurance on third party software products

SOC Type I and Type II

Third – party risk assessment

VAPT – report validation

Unauthorized software

Software inventory management

Unclear responsibility and accountability of managing third – party software product risk throughout the lifecycle

  

Limited visibility over third – party software product development infrastructure security

  

No security over third – party software product criticality

  

Vulnerable components as part of third – party software upgrades / updates (as maintained)

  

Vulnerable components in third – party software product supply chain (as received)

  

Software builders are organisations or individuals who build in-house software for their own use.


Current solutions and limitations:

Full visibility and control

  1. Secure software development lifecycle practices
  2. SAST/DAST
  3. Source code review
  4. Provenance
  5. Security Architecture Review
  6. VAPT
  7. Software Product Risk Assessment

Partial Visibility and control

Open source & third – party components

Level 1 visibility and control covered by current solution available for build code.

No visibility and control

  1. Absence of vulnerability monitoring for open – source code/system and third – party components
  2. Limited third - party risk assessment coverage
  3. Absence of open – source management policy

Software publishers are organisations or individuals who develop and distribute software to consumers or other businesses.


Current solutions and limitations:

Full visibility and control

  1. Secure software development lifecycle practices
  2. SAST/DAST
  3. Source code review
  4. Provenance
  5. Security Architecture Review
  6. VAPT
  7. Software Product Risk Assessment

Partial Visibility and control

Open source & third – party components

Level 1 visibility and control covered by current solution available for build code.

No visibility and control

  1. Absence of vulnerability monitoring for open – source code/system and third – party components
  2. Limited third - party risk assessment coverage
  3. Inadequate security review of development infrastructure
  4. Absence of mechanism to maintain SKU SBOM
  5. Absence of vulnerability monitoring and reporting
  6. Lack of clarity on providing self – attestation


How can we help?

KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline.

  1. SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BS IMM, EO14028, DHS, DORA, CRA, etc
  2. Design and/or uplift

    SSCS framework including policy, procedure, standards, and RACI matrix

    Open-source management policy

    SSCS risk assessment control inventory

  3. Perform SSCS risk assessment including SBOM based on defined control inventory
  4. Generate and maintain SBOM (Using Lineaje Platform)

    Generate SBOM from source code (as-sourced), artifactory (as-built), and containers (as-deployed) and all dependencies including open-source chain and third-party

    Update SBOM automatically for each release (major/minor/patches)

  5. Assess and monitor open-source code/system

    For well-maintained code: Analyse, prioritise and coordinate with the developer to fix the vulnerable components

    For unmaintained: Analyse, prioritise, and drive developer fixes the vulnerable code/components

  6. Assess and monitor proprietary code: Analyse, prioritise, and coordinate with the developer to fix the vulnerable code/components
  7. Remediation management

    Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains

    Manage coordination with the developer to ensure the implementation of adequate control(s) to close the identified gap(s)

Thought Leadership

Safeguarding your Software Supply Chain Landscape

Insights into the evolving Software Supply Chain Security (SSCS) risks and safeguarding SSCS landscape
Safeguarding your Software Supply Chain Landscape

Our Partnership

Know about KPMG & Lineaje’s Partnership

 

KPMG in India and Lineaje form an alliance

The aim is to help organisations safeguard against software supply chain attacks with advanced third-party risk management offerings
KPMG in India and Lineaje Announce an Alliance

Key Contacts

To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.

Atul Gupta

Partner and Head - Digital Trust and Cyber

KPMG in India

Kunal Pande

National Co-Head - Digital Risk and Cyber, National Leader - Digital Trust for Financial Services Sector

KPMG in India

Srinivas Potharaju

Partner and Head, Digital Risk and Cyber

KPMG in India

Srijit Menon

National Head for TPRM in India

KPMG in India

[1] EO-14028- Executive Order 14028
[2] DHS Risk Management Act 2021- Department of Homeland Security Risk Management
[3] FDA- Food and Drug Administration
[4] NCSC – Supply Chain Security Guidance- National Cyber Security Centre Supply Chain Security Guidance
[5] ENSIA- European Network and Information Security Agency
[6] DORA- Digital Operational Resilience Act
[7] CRA- Cyber Resilience Act
[8] SEBI- Securities and Exchange Board of India
[9] ACSC Cyber Supply Chain Risk Management Guidelines- Australian Cyber Security Centre Cyber Supply Chain Risk Management
[10] MAS- Monetary Authority of Singapore
[11] SBOM- Software Bill of Materials
[12] VEX- Vulnerability Exploitability eXchange
[13] CSAF- Common Security Advisory Framework