Software supply chains have become a tasty target for adversaries fueled by successful, high-profile attacks on companies like Solarwinds and Kaseya and open-source offerings like Log4j. Now a software applications security company seeks to address the problem with what it’s saying is the first attack surface management (ASM) product to address threats across the application full stack of APIs, cloud services, SDKs, and open-source software.

Supply Chain Secure, a SaaS solution by Data Theorem announced Wednesday, counters threats with continuous runtime analysis and dynamic inventory discovery that goes beyond traditional source code static analysis and use of a software bill of materials (SBOM), according to the company.

“ASM is a new market that’s forming because the old way of dealing with software suppliers, vendor management, and third-party source code is insufficient,” Data Theorem Chief Operations Officer Doug Dooley tells CSO. “We’re seeing that in major problems like Solarwinds, Log4j, and Spring4Shell.”

“We’re bringing out a component that, so far, has been missing in attack surface management,” Dooley adds.

Continuous third-party application discovery, vendor tracking

Right now, most software supply chain security solutions lean on vendor management or software composition analysis to fight threats. There’s a gap in that approach, though, because it often lacks access to mobile, web, cloud, and commercial off-the-shelf software, as well as third-party APIs.

Supply Chain Secure seeks to fill that gap by offering continuous, third-party application discovery and dynamic tracking of third-party vendors. The product can automatically categorize assets under known vendors, allow customers to add new vendors, curate individual assets under any vendor, and alert on increases in policy violations and high embed rates of third-party vendors within key applications.

The solution can also improve the accuracy of SBOMs, which are used to identify third-party components in an application. It does that by ingesting SBOMs provided by vendors and comparing them to an SBOM generated by Supply Chain Secure based on a runtime analysis of an application. “What generally happens is the vendor SBOM is inaccurate or was accurate at a point in time, so there’s drift from the vendor’s documentation to what’s actually in production,” Dooley explains. “It’s always shocking to customers to see what they have in documentation versus what an attacker can see on the internet.”

Supply chain disruptions likely to continue

“Everybody is using third-party software to build their commercial software,” Dooley says. “As a result, there’s going to continue to be these supply-chain disruptions, and we need better technology to get a handle on it. You’re never going to be able to stop it,” he continues. “It’s really about how long does it take to figure out you have a problem and then how do you mitigate it.”

“No one vendor can do this solution perfectly yet,” Dooley acknowledges. “The industry is in the first year of really trying to get a handle on this supply-chain problem. It’s going to take several vendors and several smart customers to work this out over the coming years.”

“Customers are bleeding from the neck,” he adds. “They’re struggling because they know Log4j was really bad, but it’s going to keep happening, unfortunately, until we get a lot better with automating discovery around these software supply-chain problems.”