Snap CISO: I rate software supply chain risk 9.9 out of 10
'Understanding your inventory is absolutely No. 1' he tells The Reg
SCSW On a scale of 1 to 10, 10 being the highest risk, Snap Chief Information Security Officer Jim Higgins rates software supply chain risk "about 9.9."
Snap says it serves 375 million daily active users, all of which has to be kept secure and reliable. Not only is the supply chain a high risk, it's a tough security problem to fix because a single product can have tens of thousands of software dependencies.
You can catch all of this detail and more in our interview with him below.
"It's a physics problem," Higgins told us, in that software packages are dependent on so many other third-party and open-source software libraries. And it only takes a bug in one of these to make your organization the next cautionary tale.
The most important thing his fellow CISOs can do to improve supply chain security is to know what software their organization uses and understand the dependencies across the supply chain, according to Higgins. He recommends adding a full inventory of libraries in use as a start point for fixing the problem, so security staff know exactly what to check.
- Warning on SolarWinds-like supply-chain attacks: 'They're just getting bigger'
- Pushers of insecure software in Biden's crosshairs
- Feeling VEXed by software supply chain security? You're not alone
- US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities
"Understanding your inventory is absolutely No. 1," he said. "It's 50 percent of the problem. If you can understand where everything is and a CVE hits, then at least you know immediately what you need to do and where."
Oh, and also, don't forget to patch. ®