Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/18/2012
01:59 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Gartner: Prepare For IT Supply Chain Integrity And Online Infrastructure To Get Pwned

New report details how, why and to what extent enterprise IT supply chains will be targeted and compromised in the near future

STAMFORD, Conn., October 18, 2012 -- Enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward, according to Gartner, Inc. By 2017, IT supply chain integrity will be identified as a top three security-related concern by Global 2000 IT leaders.

These findings are produced as part of Gartner's Maverick research. Maverick research is designed to spark new, unconventional insights. Maverick research is unconstrained by our typical broad consensus-formation process to deliver breakthrough, innovative and disruptive ideas from our research incubator.

Supply chain integrity is the process of managing an organization's internal capabilities, as well as its partners and suppliers, to ensure all elements of an integrated solution are of high assurance. The need for integrity in the IT supply chain is necessary, whether the solution is developed in-house or purchased from a third party.

"IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years," said Neil MacDonald, research vice president and Gartner Fellow. "In the shorter term, the market for information security offerings will fragment along geopolitical lines. In the longer term, the same will happen for OSs and other IT system infrastructure software, reshaping the IT landscape moving forward. Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect. These changes in information protection strategies will help enterprises embrace and adopt cloud computing and consumerization, which have strikingly similar issues with untrusted systems."

"IT supply chain integrity issues are expanding from hardware into software and information," said Ray Valdes, research vice president at Gartner. "They are growing more complex as IT systems are assembled from a large number of geographically diverse providers, and, now of mainstream concern to enterprise IT. These issues are not just about defense and intelligence. This has significant implications for businesses, governments and individuals moving forward in a world where the integrity of the IT supply chain is no longer completely trustable, and where all layers of the IT stack will be targeted for supply chain compromise."

The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises. Hardware vendors are increasingly outsourcing not just manufacturing, but also design to OEM suppliers and contractors located in Asia and India. In some cases, established Asian suppliers are outsourcing to emerging economies, such as Brazil, Vietnam and Indonesia. This is a complex problem, since most hardware systems are a conglomeration of components and subsystems procured from a large number of individual providers.

However, Gartner analysts said most hardware systems include software-based elements (at a minimum, firmware and drivers), with the trend to shift more intelligence out of hardware and into software. In an information- and software-based economy, IT supply chain integrity must extend to include the following:

Software supply chains -- This includes components, frameworks, middleware, language platforms, virtual machines (VMs) and operating systems (OSs), but also the software infrastructure and environment for software distribution and updates (such as DNS, identity, application store packaging and digital certificates).

Ensuring the integrity of software supply chains is a more difficult problem because of the increased use of offshore development, the relative ease of cloning software, and the ongoing need to keep software patched and updated via trusted mechanisms.

Information supply chains -- Information is now becoming available from a variety of sources -- from partners, suppliers and cloud-based services, such as data from Google Maps, Twitter, Facebook and Amazon. This information can be incorporated into connected applications, information marketplaces and the information integrated from partners in an extended supply chain ecosystem. Critical decisions will be based on information assembled from many other sources, creating a similar supply chain integrity issue to that of hardware and software.

Additional information is available in the report, "Maverick* Research: Living in a World Without Trust: When IT's Supply Chain Integrity and Online Infrastructure Get Pwned." The report is part of the Gartner Special Report "Drive Disruptive Innovation with Maverick* Research." This Special Report explores high-impact future scenarios that help companies think differently to uncover opportunity and enable innovation. This collection of research is intentionally disruptive and edgy to help IT leaders get ahead of the mainstream and take advantage of trends and insights that could impact their IT strategy and their organization. The Special Report is available at http://www.gartner.com/technology/research/maverick/.

Mr. MacDonald and Mr. Valdes will provide additional analysis at Gartner Symposium/ITxpo in Orlando, October 21-25.

About Gartner Symposium/ITxpo

Gartner Symposium/ITxpo is the world's most important gathering of CIOs and senior IT executives. This event delivers independent and objective content with the authority and weight of the world's leading IT research and advisory organization, and provides access to the latest solutions from key technology providers. Gartner's annual Symposium/ITxpo events are key components of attendees' annual planning efforts. IT executives rely on Gartner Symposium/ITxpo to gain insight into how their organizations can use IT to address business challenges and improve operational efficiency.

Additional information for Gartner Symposium/ITxpo in Orlando is available at www.gartner.com/us/symposium. Follow news, photos and video coming from Gartner Symposium/ITxpo on Facebook at http://www.facebook.com/#!/GartnerSymposium, and on Twitter at http://twitter.com/Gartner_inc and using #GartnerSym.

Upcoming dates and locations for Gartner Symposium/ITxpo include:

October 21-25, Orlando, Florida: www.gartner.com/us/symposium

October 29-31, Sao Paulo, Brazil: www.gartner.com/br/symposium

November 5-8, Barcelona, Spain: www.gartner.com/eu/symposium

November 12-15, Gold Coast, Australia: www.gartner.com/au/symposium

March 5-7, 2013, Dubai, UAE: www.gartner.com/technology/symposium/dubai/

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in 12,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 5,200 associates, including 1,280 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVE-2021-32554
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.