Make Software Supply Chain Security a Daily Habit

▼ Summary
– Anastasia Tikhonova advises teams to use an SBOM daily rather than treating it as a compliance document.
– The goal is to operationalize software supply chain risk for active threat management.
In every software-driven organization, software supply chain security must shift from a checkbox exercise to a daily operational practice. Anastasia Tikhonova, Global Threat Research Lead at Group-IB, emphasizes that the Software Bill of Materials (SBOM) should not be treated as a static compliance document. Instead, teams should actively use it on a routine basis to identify and address vulnerabilities.
Tikhonova stresses that the real risk often lies in the components and dependencies that developers pull in from third-party sources. When an SBOM is filed away and ignored, organizations miss the chance to detect emerging threats early. She advocates for integrating SBOM analysis into continuous integration and development workflows, making it a regular part of the development lifecycle rather than a one-time audit.
To operationalize this, teams need to treat software supply chain risk as an ongoing concern. This means scanning SBOMs against current vulnerability databases, monitoring for newly disclosed flaws, and updating dependencies promptly. By making this a daily habit, security teams can move from reactive patching to proactive risk management.
Ultimately, the goal is to embed security into the fabric of software development. Tikhonova’s message is clear: an SBOM’s true value emerges only when it is actively used to guide decisions every day, not just when a compliance report is due.
(Source: Help Net Security)




