The big tech giants are acutely aware of the software supply chain risk and have been for some time. Some of them have created short-term solutions such as repositories of “verified” dependencies that their developers may select from. Not only are these efforts manual-intensive, they only help that company. The company may eventually incorporate an external project that was not subject to their controls. As such, efforts that contribute to the common good are needed to secure the software supply chain in the long term.
Fortunately, the major players in the industry are already coming together through the form of a number of projects, including those under the umbrella of the Linux Foundation and the OpenSSF. However, it is not enough for these collaborative efforts to simply exist. They need to be adopted and used by the large majority of the software industry. This transition will not be easy, and it will take time. The Building Security In Maturity Model (BSIMM) has become the de facto standard for assessing a company’s software security practices and providing an industry-wide picture of practice adoption. A “BSIMM for Supply Chain” would go a long way towards helping software companies understand the software development and build practices they should adopt to improve supply chain security.