In the age of intelligent automation, enterprise business applications (EBAs) are increasingly embedding and integrating sophisticated AI agents to drive efficiency, insights, and innovation. These modern EBAs — designed for composability and flexibility — boast a modular architecture built upon a complex software supply chain. This intricate ecosystem comprises microservices, third-party APIs, cloud services, and a blend of open-source and proprietary components — not to mention the vast array of tools used throughout the development, build, test, delivery, and deployment lifecycle.

While the agility and scalability offered by this architecture are undeniable, the inherent complexity introduces a significant and often overlooked attack surface. Do you know what risks are hidden in your EBA software supply chain?

Neglecting the security of this intricate web of dependencies can have profound consequences, especially as AI agents become deeply integrated into critical business processes. Attackers recognize the software supply chain as a potentially lucrative target, viewing vendors, SaaS providers, and open-source projects as strategic footholds to compromise numerous downstream customers, including enterprises and government agencies.

The 2020 SolarWinds breach serves as a stark reminder of this reality. By compromising the software development process of a widely used monitoring tool, malicious actors gained access to thousands of networks, highlighting the devastating impact of a successful supply chain attack. Widespread confusion and a prolonged struggle for organizations to understand their exposure characterized the aftermath.

As AI agents become more deeply embedded within EBAs, the potential impact of a software supply chain compromise escalates dramatically. Imagine malicious code injected into an AI agent responsible for financial forecasting, customer relationship management, or even critical operational decisions. The consequences could range from data breaches and financial losses to compromised business logic and erosion of trust.

Prioritizing software supply chain security is no longer a secondary concern; it’s a fundamental imperative for organizations leveraging AI-powered EBAs. Understanding and mitigating the risks within this complex ecosystem is crucial for maintaining the integrity, security, and reliability of your critical business applications and the intelligent agents that power them. Ignoring this vital aspect leaves your organization vulnerable to sophisticated attacks with potentially catastrophic consequences.

Fortifying AI-Powered EBAs: Proactive Measures For A Resilient Software Supply Chain

In today’s increasing complex digital landscape, it’s important to mitigate escalating security risks, protect critical business operations, and future-proof against emerging threats. More than the typical IT hygiene, the complexity introduced by AI integration amplifies the importance of securing the foundations upon which these advanced applications are built. To minimize downtime, the risk of a security breach, and the time spent addressing vulnerabilities — from purchasing software, government agencies, and enterprises — we recommend eight key actions:

  1. Achieve comprehensive supply chain visibility. Initiate this by compiling a detailed inventory of all organizational software assets, leveraging existing IT asset management systems or configuration management databases. If such an inventory is lacking, collaborate across procurement, legal, IT, and enterprise architecture teams to establish one.
  2. Engage with software suppliers to understand their secure software development practices. Inquire about their adherence to “secure by design” principles and their own visibility into their upstream software suppliers. This due diligence is crucial for understanding the security posture of the entire chain.
  3. Demand SBOM for transparency. Request a software bill of materials (SBOM) from your suppliers in one of the NTIA-approved formats (i.e., CycloneDX, SPDX). SBOMs are an inventory of all the components, libraries, and modules in a software product, including software dependencies. Recognize that SBOMs are designed to be machine-readable, which means they can be analyzed and enriched with operational, legal, and security risk information. This granular visibility is essential for informed risk management in AI-integrated systems.
  4. Establish control through risk-based decision-making. Leverage the insights derived from SBOM analysis to make informed, risk-based decisions. Scrutinize discovered vulnerabilities, the health of dependencies, and any associated open-source license obligations. You might be OK running software with known vulnerabilities that have a low chance of being exploited or with an outdated dependency that the vendor confirms will be updated in the next release. But you might not want to take the risk of utilizing software with a medium-severity vulnerability with high likelihood of exploitation in an application that holds customer data.
  5. Integrate security into the procurement lifecycle. Embed security considerations directly into the procurement process. It’s significantly more effective to address security requirements before a purchase is finalized. During the RFP process, explicitly ask security-focused questions regarding the vendor’s development practices and request verifiable evidence to support their claims. Assess the product based on the vendor’s response to secure software development practices and an analysis of the SBOM. Leverage contractual agreements to define critical patch timeframes, acceptable downtime thresholds, and even security incident warranties based on the vendor and product risk assessment.
  6. Actively monitor and utilize SBOM post-purchase. Don’t let the SBOM sit on the shelf. SBOMs are useful post-purchase as they can be continuously monitored for newly disclosed vulnerabilities. Knowing which software components are affected by a critical vulnerability allows for targeted preparation and efficient deployment of vendor-supplied patches. In the case where the vendor isn’t able to expedite a fix, the detailed information within the SBOM enables the implementation of compensating controls to reduce the risk posed by the identified vulnerability within your AI-driven applications.
  7. Prioritize software with privileged access. The SolarWinds breach — the infiltration of the US Treasury department via BeyondTrust’s privileged access management software — and the Windows outage — following an update to CrowdStrike’s Falcon Identity Threat Detection software — all share a common factor: software operating with privileged access. This elevated access level makes them more appealing to malicious actors and allows incidents to disseminate quicker through an organization.
  8. Get ahead of third-party AI integration risks. As vendors integrate AI into their products to improve customer experience, automate tasks, and facilitate autonomous decision-making, the software supply chain becomes more extensive. It’s important to incorporate third-party risk management questions concerning the use of generative AI when purchasing and renewing products, but don’t delay initiating discussions with current vendors. You must understand how the application currently uses or intends to use AI, the way customer data is used and safeguarded, the strategies in place to prevent data leakage, and the safeguards around the models.

If you are grappling with getting a handle on your software supply chain, work with vendors, or want to understand how SBOMs can help, let’s continue the conversation. Book a guidance session with Janet Worthington.