Securing Closed Source and SaaS Apps in the Enterprise Software Supply Chain

This IDC Perspective offers guidance on why software supply chain security protections must extend to closed source and SaaS applications as well as open source code. Third-party closed source applications and SaaS apps often feature prominently alongside open source code in enterprise software supply chains. In some respects, closed source and SaaS software assets pose less of a risk than open source components because vendors are more likely to manage security risks in the former types of assets for their customers. In addition, vulnerabilities that impact closed source apps are often not disclosed publicly, reducing the chances that threat actors will learn about and exploit them.Nonetheless, closed source and SaaS apps can be subject to a number of risks that can hamper software supply chain security. For that reason, businesses must be able to track third-party apps in their supply chains, even if the apps are not open source. Doing so is important for ensuring that businesses can determine quickly whether security flaws or incidents involving closed source software impact them, as well as to react quickly to such issues by (for example) installing patches in cases where the vendor does not automatically patch its software.Unfortunately, managing software supply chain risks associated with third-party closed source apps and SaaS is not as straightforward as managing third-party open source code. However, it is possible using approaches like application inventory management, SaaS discovery, and the extension of SBOM practices to provide visibility into closed source and SaaS applications."Third-party closed source software and SaaS apps are easy to overlook in the context of software supply chain security, which tends to focus mostly on open source security risks," says Christopher Tozzi, adjunct research advisor, IDC's IT Executive Programs (IEP). "However, the reality is that insecure closed source code and software hosted by someone else can pose just as much of a threat as open source vulnerabilities, making it critical to extend software supply chain security strategies and practices beyond open source alone."