Everyone Uses A Supply Chain

Everyone uses a supply chain and because nothings perfect, especially internet technology, everyone is subject to supply chain attacks.  But, what can you do about it?

I'm going to take this to a higher level less specific than what has been recently discussed in media we'll use the example of a consumer app, let's call it ShopIt.  Fundamentally, a supply chain is a network of activities that occurs between a 'consumer' and their 'suppliers' that results in a specific product or service goal, in this case using ShopIt to achieve the goal.  For example, let's say the goal is dinner delivery using ​ShopIt.​

There are many things that can be used in the app to enable delivery of a dinner but there are some that are common and have basic functions that are generic or standard, like, making a list, collecting identity information, storing information and making monetary transactions between parties. A supplier X might provide the code used in ShopIt that makes the list of items for dinner, another supplier Y might provide code that performs the monetary transaction. The organization that produces ShopIt can integrate code from a number of suppliers to create the ShopIt app's user experience and platform. Any of the suppliers can be thought of as part of the chain that brings the dinner to your table. Also, any of the suppliers may become compromised because nothing, especially those things intended to be portable and open to use, is perfect. In fact in terms of internet technology the presumption should always be that is probably a flaw and it most likely may be in the security of whatever technology is being leveraged.

In this example there are a plethora of supply chain elements in the app that have bearing on outcome that can be compromised and cause a failure in security. A code library might be compromised at supplier X that sends all consumer list selections to a competitors servers, or a compromise at supplier Y might leak fractions of a penny for each transaction to a clandestine bank account. In the current environment of low-code / no code development the goal is to shift security considerations to the left, earlier in development by seasoned programmers. Each of these examples could be thwarted with due diligence of the ShopIt organization but often the resources required to run to ground such flaws is a risk decision based on the supplier's reputation. One such mitigation strategy for those costs is consumer reviews.

The affect of consumer reviews is like a feedback loop to the app producer. By monitoring the user feedback and closely reviewing submissions and application analytics flaws in the implementation or even security breaches can be detected. It is an important facet of the current universe of apps that users provide this feedback, not only for the sake of the producer but for the sake of the rest of the consumer community. In fact that feedback is often how flaws in code provided by a supplier is detected.

Here are some tips that make everyone a little safer as we are all consumers, in one way or another, of a vast and opaque supply chain:

• Report problems - no matter how insignificant a problem may seems on the surface observation of the issue may be the lynchpin for discovery of a security vulnerability or breach.
• Understand the permissions' - what an app should require versus what the app requests are sometimes vastly different things. Dig deep and suss out the needed versus the requested.
• Be aware of out-of-band checks - there is always a method to evaluate the security of a transaction by not using the app, if you can't find a way to check the security of the transaction consider a different app.
• Share your honest review with producers - App producers are becoming less coders and more integrators of code models. This means that the introduction of threats, due to poor planning in an apps supply chain, may become far less obvious to the producer, until it's too late.