In today's interconnected digital landscape, we recognise the intricate interdependencies and complexities that exist within the software supply chain security ecosystem. In recent years, the number of software supply chain security (SSCS) attacks has increased exponentially due to:

    • Heavy reliance on open-source code and third-party software components vs internal build code when building a software product,
    • Multiple vulnerable points throughout the supply chain lifecycle,
    • The ability to target multiple customers by exploiting a vulnerability in a component for one software product makes software supply chain attacks inherently more lucrative,
    • Limited visibility on end-to-end software supply chain pipeline,
    • Shift in adversaries' attack patterns from ‘1 to 1’ to ‘1 to many’.

    As a result, SSCS has emerged as the new frontier in Third-Party Risk Management. Further, regulatory scrutiny on SSCS has been steadily rising, and most organisations are not adequately mature enough to manage software supply chain risk and regulatory expectations effectively. We aim to provide a service that helps organisations align their SSCS programme with industry-leading practices and meet regulatory requirements such as EO-140281, DHS Risk Management Act 20212, FDA3, NCSC – Supply Chain Security Guidance4, ENSIA5, DORA6, CRA7, SEBI8, ACSC Cyber Supply Chain Risk Management Guidelines9, MAS10.

    Software Supplier Chain Security Use Cases

    Note: Multiple use cases may apply to a given organisation. The use cases enlisted are not mutually exclusive and can overlap depending on the organisation’s role.

    Software consumers are entities or individuals who use software that is built or published by others.


    Current solutions and limitations:

    Security design flaws, vulnerable, components and protocol

    Software / Application architecture review

    Security assurance on third party software products

    SOC Type I and Type II

    Third – party risk assessment

    VAPT – report validation

    Unauthorized software

    Software inventory management

    Unclear responsibility and accountability of managing third – party software product risk throughout the lifecycle

      

    Limited visibility over third – party software product development infrastructure security

      

    No security over third – party software product criticality

      

    Vulnerable components as part of third – party software upgrades / updates (as maintained)

      

    Vulnerable components in third – party software product supply chain (as received)

      

    Software builders are organisations or individuals who build in-house software for their own use.


    Current solutions and limitations:

    Full visibility and control

    1. Secure software development lifecycle practices
    2. SAST/DAST
    3. Source code review
    4. Provenance
    5. Security Architecture Review
    6. VAPT
    7. Software Product Risk Assessment

    Partial Visibility and control

    Open source & third – party components

    Level 1 visibility and control covered by current solution available for build code.

    No visibility and control

    1. Absence of vulnerability monitoring for open – source code/system and third – party components
    2. Limited third - party risk assessment coverage
    3. Absence of open – source management policy

    Software publishers are organisations or individuals who develop and distribute software to consumers or other businesses.


    Current solutions and limitations:

    Full visibility and control

    1. Secure software development lifecycle practices
    2. SAST/DAST
    3. Source code review
    4. Provenance
    5. Security Architecture Review
    6. VAPT
    7. Software Product Risk Assessment

    Partial Visibility and control

    Open source & third – party components

    Level 1 visibility and control covered by current solution available for build code.

    No visibility and control

    1. Absence of vulnerability monitoring for open – source code/system and third – party components
    2. Limited third - party risk assessment coverage
    3. Inadequate security review of development infrastructure
    4. Absence of mechanism to maintain SKU SBOM
    5. Absence of vulnerability monitoring and reporting
    6. Lack of clarity on providing self – attestation


    How can we help?

    KPMG in India has developed an industry-leading SSCS service capability along with Lineaje (our technology alliance partner) to help drive operational efficiencies and a better end-user experience in assessing and managing security risk throughout the software supply chain pipeline.

    • SSCS programme maturity assessment against industry-leading practices and regulatory requirements such as NIST 800-218, BS IMM, EO14028, DHS, DORA, CRA, etc
    • Design and/or uplift

      SSCS framework including policy, procedure, standards, and RACI matrix

      Open-source management policy

      SSCS risk assessment control inventory

    • Perform SSCS risk assessment including SBOM based on defined control inventory
    • Generate and maintain SBOM (Using Lineaje Platform)

      Generate SBOM from source code (as-sourced), artifactory (as-built), and containers (as-deployed) and all dependencies including open-source chain and third-party

      Update SBOM automatically for each release (major/minor/patches)

    • Assess and monitor open-source code/system

      For well-maintained code: Analyse, prioritise and coordinate with the developer to fix the vulnerable components

      For unmaintained: Analyse, prioritise, and drive developer fixes the vulnerable code/components

    • Assess and monitor proprietary code: Analyse, prioritise, and coordinate with the developer to fix the vulnerable code/components
    • Remediation management

      Log, track, and monitor the identified vulnerabilities, issues, and associated risks related to software products and their supply chains

      Manage coordination with the developer to ensure the implementation of adequate control(s) to close the identified gap(s)

    Thought Leadership

    Safeguarding your Software Supply Chain Landscape

    Insights into the evolving Software Supply Chain Security (SSCS) risks and safeguarding SSCS landscape
    Safeguarding your Software Supply Chain Landscape

    Our Partnership

    Know about KPMG & Lineaje’s Partnership

     

    KPMG in India and Lineaje form an alliance

    The aim is to help organisations safeguard against software supply chain attacks with advanced third-party risk management offerings
    KPMG in India and Lineaje Announce an Alliance

    Key Contacts

    To know more about how we at KPMG in India can help your clients build their TPRM programs, please connect with us.

    Atul Gupta

    Partner and Head - Digital Trust and Cyber

    KPMG in India

    Kunal Pande

    National Leader - Digital Trust for Financial Services Sector, National Co-Head - Digital Risk and Cyber

    KPMG in India

    Srinivas Potharaju

    Partner and Head, Digital Risk and Cyber

    KPMG in India

    Srijit Menon

    National Head for TPRM in India

    KPMG in India

    [1] EO-14028- Executive Order 14028
    [2] DHS Risk Management Act 2021- Department of Homeland Security Risk Management
    [3] FDA- Food and Drug Administration
    [4] NCSC – Supply Chain Security Guidance- National Cyber Security Centre Supply Chain Security Guidance
    [5] ENSIA- European Network and Information Security Agency
    [6] DORA- Digital Operational Resilience Act
    [7] CRA- Cyber Resilience Act
    [8] SEBI- Securities and Exchange Board of India
    [9] ACSC Cyber Supply Chain Risk Management Guidelines- Australian Cyber Security Centre Cyber Supply Chain Risk Management
    [10] MAS- Monetary Authority of Singapore
    [11] SBOM- Software Bill of Materials
    [12] VEX- Vulnerability Exploitability eXchange
    [13] CSAF- Common Security Advisory Framework