ÀÌ IDC Perspective¿¡¼´Â ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸ÁÀÇ º¸¾È º¸È£°¡ ¿ÀÇ ¼Ò½º ÄÚµå»Ó¸¸ ¾Æ´Ï¶ó ºñ°ø°³ ¼Ò½º ¹× SaaS ¾ÖÇø®ÄÉÀ̼ÇÀ¸·Î È®ÀåµÇ¾î¾ß ÇÏ´Â ÀÌÀ¯¿¡ ´ëÇÑ ÁöħÀ» Á¦°øÇÕ´Ï´Ù. Ÿ»ç ºñ°ø°³ ¼Ò½º ¾ÖÇø®ÄÉÀ̼ǰú SaaS ¾ÖÇø®ÄÉÀ̼ÇÀº ¿£ÅÍÇÁ¶óÀÌÁî ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸Á¿¡¼ ¿ÀÇ ¼Ò½º ÄÚµå¿Í ÇÔ²² µÎµå·¯Áö°Ô ³ªÅ¸³ª´Â °æ¿ì°¡ ¸¹½À´Ï´Ù. ¾î¶² Ãø¸é¿¡¼´Â °ø±Þ¾÷ü°¡ °í°´À» À§ÇØ ÀüÀÚÀÇ ÀÚ»ê À¯Çü¿¡¼ º¸¾È À§ÇèÀ» °ü¸®ÇÒ °¡´É¼ºÀÌ ´õ ³ô±â ¶§¹®¿¡ ºñ°ø°³ ¼Ò½º ¹× SaaS ¼ÒÇÁÆ®¿þ¾î ÀÚ»êÀº ¿ÀÇ ¼Ò½º ±¸¼º ¿ä¼Òº¸´Ù À§ÇèÀÌ Àû½À´Ï´Ù. ¶ÇÇÑ ºñ°ø°³ ¼Ò½º ¾Û¿¡ ¿µÇâÀ» ¹ÌÄ¡´Â Ãë¾àÁ¡Àº °ø°³ÀûÀ¸·Î °ø°³µÇÁö ¾Ê´Â °æ¿ì°¡ ¸¹±â ¶§¹®¿¡ À§Çù ÇàÀ§ÀÚ°¡ À̸¦ ÆľÇÇÏ°í ¾Ç¿ëÇÒ °¡´É¼ºÀÌ Àû½À´Ï´Ù. ±×·³¿¡µµ ºÒ±¸ÇÏ°í ºñ°ø°³ ¼Ò½º ¹× SaaS ¾ÛÀº ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸Á º¸¾ÈÀ» ÀúÇØÇÒ ¼ö ÀÖ´Â ¿©·¯ °¡Áö À§Çè¿¡ ³ëÃâµÉ ¼ö ÀÖ½À´Ï´Ù. µû¶ó¼ ±â¾÷Àº ¾ÛÀÌ ¿ÀÇ ¼Ò½º°¡ ¾Æ´Ï´õ¶óµµ °ø±Þ¸Á¿¡¼ Ÿ»ç ¾ÛÀ» ÃßÀûÇÒ ¼ö ÀÖ¾î¾ß ÇÕ´Ï´Ù. ÀÌ·¸°Ô ÇÏ´Â °ÍÀº ±â¾÷ÀÌ ºñ°ø°³ ¼Ò½º ¼ÒÇÁÆ®¿þ¾î¿Í °ü·ÃµÈ º¸¾È °áÇÔÀ̳ª »ç°í°¡ ±â¾÷¿¡ ¿µÇâÀ» ¹ÌÄ¡´ÂÁö ½Å¼ÓÇÏ°Ô ÆÇ´ÜÇÏ°í, °ø±Þ¾÷ü°¡ ¼ÒÇÁÆ®¿þ¾î¸¦ ÀÚµ¿À¸·Î ÆÐÄ¡ÇÏÁö ¾Ê´Â °æ¿ì ÆÐÄ¡¸¦ ¼³Ä¡ÇÏ´Â µî ÀÌ·¯ÇÑ ¹®Á¦¿¡ ½Å¼ÓÇÏ°Ô ´ëÀÀÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â µ¥ Áß¿äÇÕ´Ï´Ù. ¾ÈŸ±õ°Ôµµ Ÿ»ç ºñ°ø°³ ¼Ò½º ¾Û ¹× SaaS¿Í °ü·ÃµÈ ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸Á À§ÇèÀ» °ü¸®ÇÏ´Â °ÍÀº Ÿ»ç ¿ÀÇ ¼Ò½º Äڵ带 °ü¸®ÇÏ´Â °Í¸¸Å °£´ÜÇÏÁö ¾Ê½À´Ï´Ù. ±×·¯³ª ¾ÖÇø®ÄÉÀÌ¼Ç Àκ¥Å丮 °ü¸®, SaaS °Ë»ö, SBOM °üÇàÀÇ È®Àå°ú °°Àº Á¢±Ù ¹æ½ÄÀ» »ç¿ëÇÏ¿© ºñ°ø°³ ¼Ò½º ¹× SaaS ¾ÖÇø®ÄÉÀ̼ǿ¡ ´ëÇÑ °¡½Ã¼ºÀ» Á¦°øÇÒ ¼ö ÀÖ½À´Ï´Ù. "Ÿ»ç ºñ°ø°³ ¼Ò½º ¼ÒÇÁÆ®¿þ¾î¿Í SaaS ¾ÛÀº ´ëºÎºÐ ¿ÀÇ ¼Ò½º º¸¾È À§Çè¿¡ ÃÊÁ¡À» ¸ÂÃß´Â °æÇâÀÌ ÀÖ´Â ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸Á º¸¾ÈÀÇ ¸Æ¶ô¿¡¼ °£°úÇϱ⠽±½À´Ï´Ù."¶ó°í IDCÀÇ IT ÀÓ¿ø ÇÁ·Î±×·¥(IEP) ºÎ¿¬±¸ °í¹®ÀÎ Christopher Tozzi´Â ¼³¸íÇÕ´Ï´Ù. "ÇÏÁö¸¸ ¾ÈÀüÇÏÁö ¾ÊÀº ºñ°ø°³ ¼Ò½º ÄÚµå¿Í ´Ù¸¥ »ç¶÷ÀÌ È£½ºÆÃÇÏ´Â ¼ÒÇÁÆ®¿þ¾îµµ ¿ÀÇ ¼Ò½º Ãë¾àÁ¡¸¸ÅÀ̳ª À§ÇùÀÌ µÉ ¼ö ÀÖÀ¸¹Ç·Î ¼ÒÇÁÆ®¿þ¾î °ø±Þ¸Á º¸¾È Àü·«°ú °üÇàÀ» ¿ÀÇ ¼Ò½º¿¡¸¸ ±¹ÇÑÇÏÁö ¸»°í È®ÀåÇÏ´Â °ÍÀÌ Áß¿äÇÕ´Ï´Ù."¶ó°í ¼³¸íÇÕ´Ï´Ù.
This IDC Perspective offers guidance on why software supply chain security protections must extend to closed source and SaaS applications as well as open source code. Third-party closed source applications and SaaS apps often feature prominently alongside open source code in enterprise software supply chains. In some respects, closed source and SaaS software assets pose less of a risk than open source components because vendors are more likely to manage security risks in the former types of assets for their customers. In addition, vulnerabilities that impact closed source apps are often not disclosed publicly, reducing the chances that threat actors will learn about and exploit them.Nonetheless, closed source and SaaS apps can be subject to a number of risks that can hamper software supply chain security. For that reason, businesses must be able to track third-party apps in their supply chains, even if the apps are not open source. Doing so is important for ensuring that businesses can determine quickly whether security flaws or incidents involving closed source software impact them, as well as to react quickly to such issues by (for example) installing patches in cases where the vendor does not automatically patch its software.Unfortunately, managing software supply chain risks associated with third-party closed source apps and SaaS is not as straightforward as managing third-party open source code. However, it is possible using approaches like application inventory management, SaaS discovery, and the extension of SBOM practices to provide visibility into closed source and SaaS applications."Third-party closed source software and SaaS apps are easy to overlook in the context of software supply chain security, which tends to focus mostly on open source security risks," says Christopher Tozzi, adjunct research advisor, IDC's IT Executive Programs (IEP). "However, the reality is that insecure closed source code and software hosted by someone else can pose just as much of a threat as open source vulnerabilities, making it critical to extend software supply chain security strategies and practices beyond open source alone."