“As for the three gaps, it depends a bit on the scope of your software supply chain security effort. For example, they [the researchers] do not consider ‘open source software’ a supplier, as there is no contractual relationship. I think there is a contractual relationship, even if often a weak one, governed by the various open source licenses. I don’t think that is fundamentally different compared to commercial software. Commercial suppliers may ‘disappear’ or stop supporting a particular piece of software at any time (which I think is where they are going with this control).”
Environmental Scanning Tools, another missing mitigation, is often part of vulnerability management, Ullrich added. But, he said, sometimes other activities can fill the gap. For example, ‘Response Partnership’ is often part of the incident response framework, and collaboration is often also part of threat intelligence.
“You can always find gaps in frameworks if you extend their use beyond what they are originally designed to do,” he concluded, “and again, they need to be consistently updated.”
