The software supply chain has emerged as one of the most vulnerable and consequential targets for maliciousness by threat actors. For Kevin E. Greene, Chief Security Strategist at BeyondTrust, securing that supply chain must be a strategic and immediate priority as the cyber threat landscape evolves. Greene has spent nearly three decades on the frontlines of cybersecurity, from leading software security research at the Department of Homeland Security to shaping threat-informed defense strategies at MITRE and now at BeyondTrust helping government agencies zero in on their identity security strategies to elevate cyber defense. He has played a pivotal role in developing tools like Hybrid Analysis Mapping (HAM) and advancing open-source Static Application Security Testing (SAST) tools, and contributed to frameworks such as the Common Architecture Weakness Enumeration (CAWE) and MITRE ATT&CK. “If you’re building software today, you’re inheriting not just functionality but also unknown security risk from third-party software,” he says. “Understanding how to manage software supply chain risk is not only fundamental, but essential for national security.”
Understanding the Nature of Software Vulnerabilities
“All software has vulnerabilities, and all software has CWEs (Common Weakness Enumerations) lurking in code waiting to be exploited,” Greene says, pointing to what he sees as a fundamental truth often overlooked by organizations. Whether sourced internally or pulled from open repositories, software components inevitably carry inherited flaws. This reality demands a proactive and structured approach to managing software supply chain risks.
Organizations must not only scrutinize the software they incorporate and consume into their DevSecOps pipelines, but they must also develop formal processes to maintain and monitor it over time. “You need a well-formalized process for bringing in software, understanding how to implement and maintain it, and having the necessary procedures in place like threat modeling, vulnerability management and Software Bills of Materials (SBOMs) to manage risk,” he explains. Without a formal process to manage third-party software risk, organizations become more susceptible to software supply chain risks.
Technical Debt and the Gravity of Poor Design Choices
Beyond the vulnerabilities that naturally arise in software, Greene emphasizes the mounting issue of technical debt. “Sometimes developers take shortcuts with poor design decisions and never go back to fix, refactor or redesign,” he says. Over time, these poor design decisions lead to vulnerabilities, creating what Greene calls “software gravity,” which is the force that pulls features, complexity, and resources toward a software system over time. That gravity, whether intentional or not, has a negative impact on the quality and security in software.
Unchecked technical debt introduces long-term risk and serves as fertile ground for catastrophic vulnerabilities. “It will come back to haunt you in the form of a software supply chain attack or a third-party vulnerability (which can be a design flaw),” Greene warns. Paying down technical debt is essential to reduce the cost to maintain software and avoid costly software supply chain attacks.
Threat Actors Exploiting Known Vulnerabilities
Greene points to a critical shift in attacker behavior: “Threat actors are moving beyond phishing and beginning to target known weaknesses and vulnerabilities, CWEs and CVEs, at an alarming rate.” These exploits often serve as entry points in sophisticated campaigns, including ransomware campaigns. He describes them as part of a broader attack lifecycle, where initial access via software flaws leads to privilege escalation and lateral movement across network environments. This tactic is especially concerning given the ubiquity of software across all sectors. “Software powers our critical infrastructure, our healthcare systems, water, aviation, everything,” Greene says. The sheer scale and interdependence of modern software systems mean that a single exploited vulnerability can have far-reaching consequences. In this context, software security is not just a technical function — it is our first line of defense in protecting this nation.
Proactive Measures for Securing the Software Supply Chain
To counteract these escalating risks, Greene outlines three essential strategies:
- Mature Vulnerability Management: “Organizations need a well-defined vulnerability management and disclosure program,” he says. That includes everything from timely patching to clear communication channels with key
stakeholders and partners. The speed at which attackers can weaponize vulnerabilities means companies must act quickly and decisively.
- Actionable Threat Intelligence: Security leaders must move beyond reactive approaches. “Leverage threat intelligence to understand what threat actors are targeting, whether it’s binaries, certain CVEs, git repositories, or open-source libraries,” says Greene. Threat intelligence should be integrated into CI/CD pipelines, shaping how software systems are protected.
- Software Resiliency Over ‘Security’: Greene is pragmatic:“There is no such thing as secure software. What we can aim for is resilient software.” This means building with software minimalism in mind, stripping unnecessary features, deprecating unused APIs, removing unnecessary network services and tools –shrinking the overall attack surface. By focusing on resilience, teams can assure that under certain threat conditions, the security properties will perform as intended and will not expose attack surfaces in the presence of software vulnerabilities.
A Call for Strategic Transformation
Securing the software supply chain is no longer optional. It is foundational to organizational survival in an increasingly digitized environment. Greene’s message is clear: “We must reshape and redefine our software development practices, as echoed in the new Executive Order by the Trump administration. That includes building resiliency into design and being mindful of every dependency we introduce.” For decision-makers and engineers alike, this means adopting a mindset where software is treated not just as a product, but as a living system, one that requires stewardship, vigilance, and strategic foresight.
To keep up with Kevin E. Greene’s latest insights on cybersecurity and supply chain resilience, connect with him on LinkedIn or visit his website.
