I have Celiac disease. That means I can't consume gluten – that's rye, wheat, and barely – without the risk of triggering an auto-immune reaction that is, quite honestly, unpleasant to experience.
As a result, I am an avid reader of ingredient labels. I am highly suspicious of "modified food starch," "yeast extract," "hydrolyzed," anything and a number of other interesting ingredients that can either be produced using a gluten product or produced from a gluten-containing product. For example, yeast extract may be your normal, everyday yeast, but it can, in some cases, be specifically made from brewer's yeast, which means the extract came from a gluten-containing grain.
Yeah, you do not want to go grocery shopping with me.
Even if a product has no obvious gluten or related ingredients, I have to further examine its manufacturing environment. Many products are manufactured in the same plant as gluten-containing products and thus may be “cross-contaminated.” As even a micro-amount of gluten will trigger a reaction, these products are not allowed in my shopping cart.
Now, at this point, you should start to notice that while it sounds fairly easy to avoid gluten – just look at the ingredient list – the reality is that it's far more challenging than that. Because the supply chain matters.
Which is how we get from Celiac disease to software supply chain security. Because that, too, is more than a focus on just the actual ingredients in your applications, such as the open-source web app framework or database or other software you’re using. It’s also about what went into that software - its composite dependencies and how it was “manufactured," and in what environment.
The modern software supply chain
The use of open source is nothing new. The reality is that the software supply chain – the open-source components and dependencies used to build modern applications - has been growing for years as organizations have adopted and expanded on digital as the default engagement model. The most recent estimates are that the average modern application contains 128 open-source dependencies.
But what’s more distressing is the increasing threat from those dependencies. Of the 67% of developers who think they leave vulnerabilities in their code, 45% believe those vulnerabilities are the inherent flaws in libraries or frameworks they’re using. They believe that because we know that 29% of popular projects contain at least one known security vulnerability. There’s no way to know how many unknown vulnerabilities there are because, well, they aren't known. Yet.
Oh, and let’s not forget that as the movement to modernize ops gears up, open source will be a significant source of automation and tools, which will only increase the depth of the software supply chain.
It's time to get serious about supply chain security. Open source is so widely used that it is a magnet for attackers.
While the executive order issued last year to try to improve software supply chain security was a good motivator, organizations need to embrace the idea of greater due diligence to secure the software supply chain. That means supporting OSS security standards and efforts like OpenSSF and adopting enterprise-grade services for open-source projects. Giving back to the community through open source should include security support. The industry needs standard practices, tools, and even processes that promote – and perhaps even reward – those who diligently participate in the effort to secure the software supply chain.
For enterprise organizations, it means establishing standard security practices from day zero of development through its entire lifecycle and embracing the “shift left” mindset inherent in a DevSecOps practice. It means not only performing security scans on all software but acting on the results. It means auditing your entire portfolio of software – from dev to ops to infrastructure and networking - and documenting exactly what open-source software is powering your business.
It's to get serious about supply chain security and read those software ingredient labels with a critical eye before you consume a project that will trigger a very unpleasant digital reaction.