SE Radio 606: Charlie Jones on Third-Party Software Supply Chain Risks

Continuous Eval

Continuous evaluation of third-party software is crucial due to the dynamic nature of software development. Charlie Jones emphasizes that a single evaluation is insufficient, as software constantly evolves, altering the risk profile with each update 1. He suggests a structured approach to managing supplier risks by identifying critical suppliers, ranking them by risk, and applying consistent testing methodologies 2. This ensures that any vulnerabilities, like malware, are identified and mitigated before deployment.

Software vendor relationships are very different than that of a traditional enterprise relationship... It's the same from onboarding to offboarding, software is very dynamic.

--- Charlie Jones

Regular reassessment helps maintain security and integrity throughout the software lifecycle.

   

Binary Analysis

Binary analysis emerges as a powerful tool for evaluating third-party software independently of vendor disclosures. Charlie Jones explains that this method allows enterprises to analyze risks by examining the binary itself, bypassing the need for source code access 3. This approach, combined with automation, helps manage the complexity of modern software packages, which can contain thousands of components 4.

Binary analysis... allows you to not only generate an S BOM, but also analyze the risk presented by all those components and dependencies within the s Bom, just using the binary itself.

--- Charlie Jones

By layering binary analysis with other technologies like AI, organizations can better understand and mitigate potential threats.