AI/ML’s Role in Software Supply Chain Security

Almost every company has felt the impact of a cybersecurity incident caused by a security breakdown in the software supply chain. According to a study by BlueVoyant, 98% of businesses were negatively affected by a supply chain-related breach, with 40% of the respondents saying they rely on the vendor to ensure security.

However, by relying on someone else to be responsible for your security, you may be dropping the ball on monitoring the software for potential vulnerabilities. The lack of visibility into the software supply chain will increase your risk of a cybersecurity incident. The use of open source code to build software used in the supply chain also opens up the possibility for vulnerabilities. Almost every developer relies on software libraries rather than developing from scratch in-house because it is less expensive and decreases the time to market.

“Even relatively simple systems are made with hundreds or thousands of dependencies, many of which are open source and maintained by volunteers,” said Guillaume Ross, deputy CISO at JupiterOne, in an email conversation. “It can become daunting to understand the attack surface of a product, as these dependencies might have vulnerabilities or could be taken over by someone malicious.”

Monitoring software across the supply chain is daunting. Nor should you put all your trust into your third-party vendor for software security. The most optimal cybersecurity solution across the software supply chain is AI.

Using AI to Address Security Problems in the Supply Chain

Supply chain security has multiple components, including the security of vendors and usage of open source tools, explained Sajeeb Lohani, director of cybersecurity at Bugcrowd, via email.

“The biggest issue is identifying what is safe for use and whether a vendor that another company relies on performs such due diligence,” said Lohani.

This is where AI and ML play a role in software supply chain security. “AI/ML can be an effective way to identify certain patterns and weaknesses within such areas, so it definitely has a place, however, another major concern is simply business process and the awareness around such issues within a company’s security posture,” said Lohani.

Projects like Netskope’s CCI and Google’s OSV will help companies identify which applications are safer in open source packages. “The major play that ML will have in such an area could be ingesting this data and using it to identify trends and potentially finding weaknesses that are more systemic than we currently realize,” said Lohani.

But AI and ML Aren’t Perfect

While AI and ML are clearly a part of solving software security issues within the supply chain, the good guys aren’t the only ones taking advantage of the technology, according to Bud Broomhead, CEO at Viakoo.

“It’s an arms race with respect to AI/ML, and bad actors are already using AI/ML to hone their attacks better,” Broomhead said in an email interview.

Another concern with AI/ML tools is that, while useful, they can sometimes generate a lot of data that is hard to contextualize.

“For example,” said Ross, “tools that detect vulnerabilities in dependencies will often generate thousands of warnings about ‘critical’ updates, but many of those issues in the dependencies might not actually be exploitable in the final product. Or if they are, it’s not easy to know what to fix first, without context.”

While machine learning could be useful to help reduce and prioritize the list of issues through patterns, it’s important to load the output data of all application and supply chain security tools in a unified platform so you can leverage context from other data sources when deciding what to secure in what order, Ross added.

The software supply chain is inherently risky because of the tradeoffs between time-to-market, available engineering resources and security, said Broomhead. While the solution isn’t perfect, AI/ML can accelerate and optimize software testing by focusing on a highly curated set of tests in developing a specific product and, from that, excluding testing that is not relevant to that product.

“All products have software vulnerabilities,” Broomhead said. “AI/ML can dramatically reduce the time needed to know if those vulnerabilities matter in the context of that specific product.”