(Image designed by Freepik)

Today, cyber threats are among the top risks facing businesses. Attackers are increasingly targeting supply chains and digital infrastructure as well—something the German Federal Office for Information Security (BSI) highlighted very clearly in its alert about the critical backdoor in xz utils. And many of us still remember the far less festive discovery of the now legendary Log4Shell vulnerability in the Log4j library during the winter of 2021. Software supply chain security is no longer just an IT issue—it is becoming a decisive competitive factor, especially for organizations that deliver software to customers. Germany’s Product Liability Act now explicitly includes software, too. So whether you are a supplier or a customer, you should know exactly which components you have in use.

It is hardly surprising that supply chains are an easy target for cybercriminals. The more different parties are involved—companies, suppliers, distributors, customers, and others—the more potential entry points there are. If even one participant relies on insufficient safeguards, the risk rises significantly. A supply chain is only as secure as its weakest link.

This increasingly applies to the supply chain for software and tools as well. Modern software often contains third-party components, which in turn frequently contain vulnerabilities over which the direct supplier’s development team has only limited control. Unpatched security flaws in these components significantly increase risk in your own environment. And the exposed backdoor in xz utils shows the worst-case scenario: malicious code can indeed be injected into open-source software—and cannot be ruled out even in compiled programs. That is exactly why protecting the software supply chain has taken on a central role, not least because of regulations such as DORA.

So how do you uncover security gaps? Together with our partner ReversingLabs, we rely on the analysis of third-party software. Traditional risk assessments often do little more than scratch the surface and miss what really matters: hidden risks deeper inside the software. Whether before purchase or during updates, embedded attacks and critical vulnerabilities often remain undetected.

That is where we come in. We automate analysis and security assessment far beyond manual questionnaires and “software parts lists” (Software Bills of Materials). The entire software package is examined—regardless of whether it contains proprietary, commercial, open-source, or other third-party artifacts. The analysis looks for known vulnerabilities, possible tampering, embedded secrets or credentials, and potential licensing issues.

With the three-step model Risk, Release, Run, a comprehensive security analysis report can be generated before installation or update. That gives both operators and decision-makers greater peace of mind—because supply chain security has become an integral part of the organization.

As part of the risk assessment, potential vulnerabilities can be identified, evaluated directly, and quickly classified as release, warning, or stop. Both internal development teams and affected suppliers can receive detailed information about the issue before vulnerabilities cause damage in production systems. The focus here includes third-party dependencies, privileged access, and expanded attack surfaces. The release phase then involves a full analysis of the third-party software itself.

Not every vulnerability is known when software is first put into operation. Log4Shell is a perfect example of that, and Microsoft’s traditional Patch Tuesday also shows the constant stream of newly discovered weaknesses. As soon as a new software alert becomes known—for example through a CVE publication—it can be checked promptly against the already recorded and installed software base. Instead of time-consuming manual analysis, organizations can immediately assess and classify the issue, quickly see where they are exposed, and identify where countermeasures are required.

Better visibility into software vulnerabilities alone does not provide sufficient protection. Security can—and must—be broader than that. By combining our many years of IAM expertise with modern software supply chain security and incident response approaches, we help ensure that access rights configuration, the use of privileged accounts, and deployed software all meet the state of the art required by the BSI and other supervisory authorities. That way, neither the misuse of digital identities nor software flaws can be used as gateways for attackers.

In other words, supply chains only become truly secure, efficient, and resilient when they are backed by a clear IAM strategy. To strengthen your position under DORA and NIS2, we recommend a holistic approach built around at least the following elements:

• Centralized identity management: Consistent access policies—including for partner identities—are needed to monitor user activities transparently.
• Identity management: Single Sign-On (SSO) simplifies access while ensuring attribute-based access control.
• Role-based access: Role-based access control makes it possible to assign permissions according to responsibilities.
• Secure API connections: Exchanging data across the supply chain via an API gateway with authentication and encryption functions helps protect sensitive information.
• Strong authentication: Secure second factors such as FIDO2-based hardware tokens and passkeys ensure that only authorized users gain access to sensitive data.
• Granular access rights: Instead of simple yes/no access, organizations should enforce true need to know and need to do based on relationships (ReBAC), context (CBAC), and attributes (ABAC)—with RBAC included as well.
• Real-time monitoring: Monitor and log all privileged access in real time in order to detect suspicious activity immediately (PAM with session monitoring).
• Automated processes: Use Identity Governance (IGA) solutions to manage roles and permissions centrally and automatically—making life easier for both IT teams and HR.
• Software security: Analyze all software being delivered or used, identify vulnerabilities reliably, and mitigate them effectively (SSCM).
• Technology alone is not enough if people and processes are not aligned as well:
• Process consulting: We help you map out your core IT and HR processes, streamline them, and align them with modern tools and systems.
• Training and enablement: As experienced experts, instructors, and trainers in security topics, we share our knowledge with your teams—whether through standardized training or individually tailored sessions.

In an increasingly connected world, the interplay of people and processes with technologies such as software supply chain security and IAM must be treated as much more than a set of “pure security tools.” Only their coordinated interaction creates the decisive foundation for resilience and long-term success. That is why it is worth doing more than simply worrying about vulnerabilities or planning one-off analyses of third-party software. These tasks should be combined with solid IAM concepts and process optimization.