Supply-Chain Attack Threat Management

Question

How does FileWave reduce the risk of supply-chain attacks against the FileWave product and release process?

Answer

Supply-chain attacks are a serious risk for software vendors, especially vendors that provide endpoint management and IT operations tools. FileWave works to reduce that risk through a layered approach to product development, component management, build automation, release delivery, and security review.

A supply-chain issue can be introduced in more than one place: internal source code, a build or release process, a partner component, a third-party library, or an open-source dependency. FileWave also publishes an Open Source Software used in FileWave chapter for documented open-source components. Because of that, FileWave treats supply-chain protection as an ongoing process rather than a single control.

FileWave's controls focus on limiting where release components come from, making the product assembly process repeatable, reducing manual release steps where practical, reviewing known material vulnerabilities, and responding to feedback from security researchers, vendors, customers, and the broader security community.

No security process is perfect, so FileWave continues to review and improve its tools and processes as cybersecurity threats and attack methods change.