Underpinning all modern technology – software and hardware – is a supply chain. However, even as “software eats the world,” or we could argue “ate the world,” there is still too little understanding of the software supply chain, with continued focus on hardware. The reality, however, is that software is much easier to pollute than hardware. While there has been an increase in awareness around the need for a coordinated application security strategy, the federal government has historically focused on playing strong defense, putting up walls at the perimeter, and at the end of the digital supply chain.
It’s time to shift more security resources further left. In this way, the government can play better offense at the beginning of the digital supply chain so that federal agencies can better protect themselves and the American citizenry.
- Open Source is Powering Federal Software Development – Open source software components are the backbone of federal software supply chains; in fact, 85% to 95% of an application is composed of open source components. Since they are free, and readily available, they allow agencies to save time and money, and in many cases improve quality.
- Agencies Don’t Know How Much Open Source They’re Using – There is a lack of transparency in how much open source software is being used throughout the federal government. A disconnect between the developers and security teams, make it difficult to rectify this, but with proper controls, can be fixed.
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Jason Green. Read the original post at: https://blog.sonatype.com/top-6-reasons-the-time-is-now-for-devsecops-in-the-federal-government