Suppression Management: How to Balance Software Supply Chain Security with Practical Business Goals

Suppression Management

In an ideal world, you would only ever ship immaculately secure versions of your software—free from all known vulnerabilities. 

However, you’re not building software in an ideal world: the security of your product is just one of many factors that affect what you ship and when you ship it. Budget constraints, talent gaps, operational schedules, and good old-fashioned customer deadlines also come into play—which means software companies often need to sacrifice short-term cybersecurity perfection for the sake of long-term product (and business) viability.

This happens in every area of life, not just software. We prop the front door ajar while moving heavy boxes in or out of the home. We trust bartenders to hold on to our credit cards when we start tabs. We trust restaurant cooks to handle our food in a sanitary manner, even though we don’t directly observe them washing their hands. All of these decisions sacrifice some security for the sake of practicality—because if we were 100% secure all the time, we’d never get anything done.

When it comes to the security of your software products, you don’t want to be held hostage by your own security policies. You need to be able to temporarily (and prudently) loosen your security standards in order to keep the business running. You also need to be able to follow up and patch those vulnerabilities later.

That’s why MergeBase now offers suppression management capabilities. MergeBase lets you strategically suppress your security tools so you can ship your products while tracking the vulnerabilities you allow to pass through so you can fix them later.

Suppression management with MergeBase

There will likely come a time when you discover a new vulnerability in your software supply chain, but you don’t have the capacity to address it before your shipping deadline. An advanced SCA (like MergeBase) will prevent you from shipping a software build that contains high-risk vulnerabilities—but what if you need to meet your deadline today and can easily fix this problem in the next 72 hours?

When this happens, MergeBase allows you to suppress the vulnerability and ship your product. You can use our suppression management feature to choose which vulnerabilities to ignore and for how long to ignore them. 

This allows you to stay on schedule and quickly patch the problem afterward.

This exception to the rules is recorded, so you have full accountability when it comes to the issue. MergeBase logs the vulnerability, the time period for which you’ve decided to ignore it, and any rationale you choose to provide as comments. You’re still upholding your security policies—you’re simply making (and recording) a judgment call.

Importantly: this is a controlled exception. You’re not indefinitely disabling all of your vulnerability protection. Using this feature allows you to make a conscious, temporary exception to the rules. 

It’s similar to how you might respond if a high-ranking sales employee showed up at the office one morning and, upon attempting to scan in, realized she had forgotten her company ID at home. You wouldn’t call the police, you wouldn’t fire her, and you likely wouldn’t send her back home to get her badge. But you also wouldn’t disable all the locks in the building for the day and risk allowing just anyone inside.

Instead, you’d give her a temporary visitor pass, remind her of the importance of bringing company ID to work with her, and let her do her job that day. If the problem persisted, you’d take further action. 

Likewise, suppression management allows you to temporarily suspend the status quo—without upending your entire software supply chain security policy.

How suppression management works in MergeBase

The first step in suppression management in MergeBase is to set your baseline policies for what kinds of vulnerabilities you permit to exist in your software. MergeBase detects the threat level of every known vulnerability on a scale of 0–10, which means you can preconfigure MergeBase to halt any build from going live if it contains vulnerabilities above a certain threat level.

You can also permanently suppress common vulnerabilities and exposures (CVEs) in MergeBase. This is useful if your product or operations have built-in security measures that will naturally prevent a given CVE in your software supply chain from harming your customers or their end users. (Just like how one might ask their guests to take off their shoes upon entering the house, rather than only unlocking the front door after a visitor provides proof that they’ve already removed their shoes.)

It’s important to note that suppression management in MergeBase works at the individual vulnerability level—not the software component level. MergeBase will never give a component a unilateral free pass: you need to manually specify which vulnerabilities get temporary or permanent suppression.

Improve your security and productivity with MergeBase

As software supply chain security law matures, software companies like yours need to manage their abilities to stay both secure and productive. MergeBase can help you do both.

If you want to explore how MergeBase can help you strike the right balance, book a demo with us—we’d love to learn more about you and show you how we can help!

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.