The tools we use every day, especially common open source tools, tend to be an overlooked link in the software supply chain. Performing third party risk management (TPRM) analysis on these tools is crucial, as we saw with Log4J. The good news is that assessing that risk (with a focus on behaviors and capabilities) can be done friction free with minimal effort.
Key areas of focus include:
✓ How to gain visibility into your extended attack surface from 3rd-party code repositories like GitHub
✓ How to assess software package expectations vs behaviors, and the use of common patterns to streamline analysis
✓ The benefit of conducting comprehensive network traffic assessment on the final executable package using static vs. dynamic analysis