Ep. 32 Software Supply Chains and Federal Technology

November 1, 2022

Attacks on the software supply chain have grown by an average of 742% a year since 2019. It makes complete sense if you look at several factors.

Years ago, a software developer would write code as part of a large project. It is quite possible they had the opportunity to examine all aspects of their code for vulnerabilities. That transitioned to developers grabbing blocks of code from libraries. Even then, they had at least a chance to review code grabbed from software repositories.

Federal mandates regarding cybersecurity are forcing systems administrators to speed along work by using code from software libraries. Unfortunately, remote work and cloud transition has made projects so complex that, if they tried to examine each line of code in the project, it would never get done.

"And then you want to also be scanning those artifacts that are eventually produced, you know, the things that you're going to be running the containers, the images, the JAR files"

Stephen Magill, Sonatype Tweet

One solution is to look at options for examining open-source code before being incorporated into a project. Today’s interview is with Dr. Stephen Magill from Sonatype. He gives a detailed description of how software developers can be assured code they develop is safe. He reminds the audience that, even with bespoke code, newer versions must be added along with improved code over the long haul.

Dr. Magill brings up an interesting aspect of software risk – artifacts. In this sense of the word, an “artifact” is a bit of code that can make binaries work in a system. As a result, they must be managed as carefully as traditional binaries.

If you would like to have more details about security and open-source software, consider downloading the annal report from Sonatype called the “2021 State of the Software Supply Chain” from Sonatype.

If you enjoyed this article, you may want to listen to episode #25 Controlling the Hybrid Cloud