The recent, unprecedented disruption caused by a CrowdStrike issue causing outages in Microsoft Windows servers, resulting in a downstream wide-scale Azure outage has laid bare a critical vulnerability in the heart of our digital infrastructure: the software supply chain. This is a problem that goes far beyond a single vendor or a specific incident. It’s a systemic issue that demands immediate attention from organisations of all sizes.

Blind dependence = huge risks

We’ve become increasingly dependent on software updates to maintain system security. This is a double-edged sword. While essential for patching vulnerabilities, it has inadvertently created a new attack surface. The recent CrowdStrike incident is a prime example of this. If we can’t trust the security of our security software, where does that leave us? As the old adage goes…‘Who watches the watchmen?’

This isn’t an isolated incident either. We’re seeing a growing trend of supply chain attacks, where malicious actors target the software development process itself. The recent near-miss with the XZ Utils supply chain attack is yet another wake-up call. The reality is, we need to treat our software supply chain with the same level of scrutiny as our physical supply chains.

The implications of these failures are far-reaching. Beyond the immediate economic impact of downtime, they erode trust in digital systems. When citizens, businesses, and governments alike experience disruptions to essential services, it undermines confidence in the digital world. This, in turn, can hinder innovation and economic growth, and could invite more restrictive legislative control.

While this all sounds very serious, there are things we can do as a tech community to minimise the risks, because we really don’t want this to be a regular occurrence.

A five-step proactive approach to mitigating disruption

To mitigate these risks, organisations must adopt a proactive approach. Here are some key steps we would recommend you start taking today to keep your organisations safe:

• Deepen understanding of the software supply chain: Gain comprehensive visibility into the development, testing, and distribution processes of all software components in your critical infrastructure. This includes mapping out the entire supply chain, identifying third-party dependencies, and assessing potential vulnerabilities. If you’re confused as to which software to include here, if your business can’t operate without it, it’s probably critical.
• Implement rigorous testing and validation: Establish robust procedures for testing and validating all software updates, including those from trusted vendors. This involves conducting thorough security assessments, vulnerability scans, and penetration testing to identify and address weaknesses. This way you can identify weak points and develop reactive responses accordingly in the event of an outage. After all, forewarned is forearmed.
• Build strong supplier relationships: Foster close partnerships with suppliers to enhance collaboration and share intelligence on potential threats. Regular audits, certifications, and information sharing can help build trust and improve supply chain resilience. In a fast-paced digital environment, continued collaboration will pay dividends.
• Invest in incident response: Develop comprehensive incident response plans and conduct regular simulations to ensure readiness. This includes establishing clear roles and responsibilities, creating communication channels, and practising recovery procedures.
• Embrace industry collaboration: Participate in industry forums and share best practices to collectively strengthen the software supply chain ecosystem. This involves collaborating with peers, sharing threat intelligence, and advocating for industry-wide standards and regulations.

By taking a proactive and collaborative approach, we can strengthen our digital infrastructure and mitigate the risks associated with the software supply chain. After all, the future of our digital world depends on it.

Need help with your digital product development journey? Get in touch with the CreateFuture team for a chat.