Tuesday, July 19, 2022
HomeITHow we’ll resolve software program provide chain safety

How we’ll resolve software program provide chain safety

Who owns software program provide chain safety? Builders? Or the platform and safety engineering groups supporting them?

Previously, the CIO, CISO, or CTO and their safety group would determine which Linux distribution, working system, and infrastructure platform the corporate could be getting its help contracts and safety SLAs from. As we speak, builders do that all in Docker Information and GitHub Actions, and there isn’t the identical form of organizational oversight that existed earlier than issues shifted left to builders.

As we speak, compliance and safety groups outline the insurance policies and better degree necessities, whereas builders get the pliability of selecting no matter tooling they need, offered it meets these necessities. It’s a separation of issues that significantly accelerates developer productiveness.

However as I wrote beforehand, Log4j was the bucket of chilly water that wakened organizations to a systemic safety downside. Even within the midst of all this shift-left developer autonomy and productiveness goodness, the open supply parts that make up their software program provide chain have grow to be the favourite new goal for unhealthy actors.

Open supply is nice for devs, and nice for attackers

Community safety has grow to be a much more tough assault vector for attackers than it as soon as was. However open supply? Simply discover an open supply dependency or a library, get in that approach, after which pivot to all the different dependencies. Provide chains are actually concerning the hyperlinks between organizations and their software program artifacts. And that is what attackers are having a lot enjoyable with right now. 

What makes open supply software program nice for builders additionally makes it nice for hackers.

Copyright © 2022 IDG Communications, Inc.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments