Developers don’t write software these days, so much as they compile it. “A modern application typically consists of 80 to 90% of software components that your developers didn’t write,” said Brian Fox, chief technology officer and co-founder of Sonatype, whose products help control open source risk.
The software supply chain includes frameworks, user-interface components, logging tools, and a range of other nuts-and-bolts elements, all shared via repositories. These days, high-profile attacks and increasing regulatory scrutiny make vulnerabilities here a front-and-center concern.
“How do those components get into the repository? How do your developers choose which components are being included? How are they getting into your final build?” Fox said. With all these components under the hood, “we need to be talking about the software supply chain.”
A Clear Mandate
Cyber attacks in recent years have brought this concern to the forefront. There was SolarWinds, an attack on software that then proliferated among downstream users. Then came Log4J, an attack on a commonly used logging tool.
There is ample data to demonstrate that bad actors are deliberately making harmful tools available for use by unsuspecting developers.
“Since about 2017, we’ve seen a steady increase in the number of intentionally malicious components that are put into these repositories,” Fox said. “There were 250,000 components last year that were fraudulent, that were put into these repositories and designed to cause harm.” (You can learn more in Sonatype’s 9th Annual State of the Software Supply Chain Report.)
At the same time, a raft of federal mandates and guidance has focused attention on supply-chain security:
- The May 2021 Executive Order on Improving the Nation’s Cybersecurity says leaders “must take action to rapidly improve the security and integrity of the software supply chain.”
- A memo from the Office of Management and Budget (M-22-18) calls for agencies to enhance the security of the software supply chain through secure software development practices.
- The National Institute of Standards and Technology’s Secure Software Development Framework (SP 800- 218.3) and its Software Supply Chain Security Guidance lay out practices that create the foundation for developing secure software.
“We’ve seen a lot of administrative action,” Fox said. “Attention and focus from [the Cybersecurity and Infrastructure Security Agency] and the Office of the National Cyber Director is keeping this in front of everybody.”
In this environment, program managers need to be at the top of their game when it comes to security. If a developer includes a faulty element in an application and opens up a security liability, “you don’t get a pass,” Fox said. “Ultimately, you’re responsible to your customers for what’s inside that [software].”
All Eyes on the SBOM
Developers can begin to address the risk with a thorough Software Bill of Materials, or SBOM: A list of all the ingredients go into the software. In the federal space, that’s mandatory. “If you intend to sell software to the government, you need to be able to provide an SBOM,” Fox said.
The vendor community can help here as well. Sonatype’s Lifecycle product, for example, supports effective component lifecycle management. In support of the SBOM, the tool “is able to assess the components that are in your software…empirically, by analyzing what’s actually going on inside your systems,” Fox said.
“We use that information in conjunction with policies that you can configure to help provide guidance to the developers, so you can steer them away from the known-vulnerable versions,” he said. “And it can provide recommendations and automated alerts when new vulnerabilities come out.”
In addition, the Sonatype Repository Firewall can serve as the first line of defense when managing open-source components. The firewall “can sit on multiple different repository managers…and it analyzes those components as they come through,” Fox said. “When it finds one that has a known malware in it, it blocks it.” (To learn more about Sonatype’s government offerings, click here.)
All this will become even more important as the government looks to hold developers accountable for security gaps. The Securities and Exchange Commission, for example, recently filed suit against SolarWinds, alleging that the company knew about potential security risks and failed to disclose them.
Such action “clearly points the direction towards holding vendors and stewards of data accountable when bad things happen,” Fox said. “Intentional blindness no longer solves the problem.”
Sponsored by: