Securing the Backbone: Issue #5: The Software Supply Chain Security Checklist – 10 Steps to Lock Down Your Critical Infrastructure Before Hackers Do
Eric Gallagher
Securing Software Supply Chains ?? | Sales & Data Analysis | Account Management | Creator of shenanigans | Tennis, Poker, & Excel nerd
Date: March 2, 2025
??? So You Want to Stay Out of the Headlines?
Congratulations! You’ve decided you’d rather NOT be the next cybersecurity disaster story. This week, we’re handing you a 10-step cheat sheet to securing your software supply chain before hackers make you their next favorite target. Stick to this list, and you just might avoid a cyber-induced existential crisis.
?? The Ultimate Software Supply Chain Security Checklist
1?? Inventory Everything
You can’t secure what you don’t know exists. Track every dependency, third-party library, and software component in your stack. Because surprise, hackers already know what you’re using.
Not sure where to start? I can help.
2?? Demand SBOMs from Vendors
A Software Bill of Materials (SBOM) is your transparency tool. If your vendors can’t tell you what’s in their software, why are you trusting them with your security?
And don't forget about your own SBOMs... those reports you were asked to generate for your own applications. Those should be tracked too, because what's safe today may not be tomorrow.
3?? Lock Down Your CI/CD Pipeline
If your build pipeline is as open as a free Wi-Fi hotspot, it’s only a matter of time before attackers walk right in. Enforce strict access controls, provide your developers a "paved road" of secure components, and verify builds before deploying.
4?? Stop Ignoring Patches
Yes, we know—patching is annoying. But you know what’s worse? Getting breached because you ignored a critical vulnerability for six months. Patch. Your. Stuff.
You know who else thinks this? The FTC - and they threw down the gauntlet over unpatched versions of log4j. Read the press release here - https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability
5?? Scan Dependencies Like Your Job Depends on It
(Newsflash: It does.) Use automated security scanners to catch vulnerabilities before attackers do. And no, “We’ll check next quarter” is not an acceptable response.
And know how far down the rabbit hole your scanner goes. Depending on what report you read, up to 95% of vulnerabilities come from transitive dependencies. Like GI Joe always said... "Knowing is half the battle."
And don't forget your containers, you Docker and Kubernetes lovers... those have vulnerabilities, too. Want to use hardened containers? Let's talk
6?? Enforce Zero Trust (Because Trust is for Suckers)
Assume everything is compromised by default. Require authentication at every step, limit privileges, and monitor for sketchy activity.
7?? Monitor for Anomalies 24/7
If your security team finds out about a breach from Twitter, you’ve already lost. Deploy real-time monitoring and set up alerts for anything remotely suspicious.
8?? Train Your Developers (Because They’ll Get Phished Next)
Your security is only as strong as the people who write your code. Teach developers to recognize phishing, social engineering, and supply chain threats—because bad guys love lazy security practices.
But also, make it easy for your developers to code securely. CISA recommends providing "paved roads" in their "Secure by Design" pledge. Give your developers a dynamic repository of secure components, and continuously monitor for new vulnerabilities.
9?? Vendor Risk Management: Be That Annoying Customer
Make security your vendor’s problem, too. If they don’t have strong security policies, neither do you. Set strict security requirements and regularly audit suppliers.
?? Have an Incident Response Plan (Because You’ll Need It)
No security is 100% foolproof. Have a solid response plan in place for when (not if) things go wrong. Speed matters—the faster you respond, the less damage you take.
?? Bonus Tip: Automate Everything You Can
Cybercriminals don’t sleep, and neither should your security. Automate vulnerability scanning, dependency tracking, version updates, and remediation plans to stay ahead of attacks.
I know, I know... remediation can be tedious (and costly). No sweat - automate it with Intelligent Remediation.
Do your current AppSec tools make all of that easy? If not, maybe it's time to take a look around...
?? Coming Next Week…
?? Securing the CI/CD Pipeline: How to Keep Hackers Out of Your Software Development Process
?? Feeling a little nervous about your own security posture? Don't let supply chain attacks ruin your spring. Message me on LinkedIn.
?? Stay paranoid (in a good way),
EPG