Securing Your Software Supply Chain

Securing Your Software Supply Chain

Part one of a three-part series. 

Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer.

There are various types of code components that make up applications: 

• Third-party components. These are code components developed by an external individual or organization. Typically, third-party code are free and open source software (FOSS) or commercial-off-the-shelf software (COTS). For example, a product team might use MatrixSSL to secure network communications in IoT and other lightweight scenarios. 
• First-party components. First-party code is written in-house by the R&D team of developing organizations. First-party code is written for additional functionality and features that are not freely and openly available. First-party code is also written to assemble third-party code components together. 

Leading software composition analysis vendor, BlackDuck Software, found that 95% of commercial applications they analyzed contains open source code. In fact, the majority of software is comprised of third-party components; up to 80% of an application is comprised of third-party code.

Software is Assembled

Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer. Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer.

You Can’t Beat Free?

It makes sense to take advantage of third-party code. There are a variety of benefits to using third-party components, especially open source. 

• Faster time to market. Third-party code offer developers the foundational building blocks for developing features and functionality that would otherwise take considerable time to build from scratch. Using third-party components give developers the boost they need to keep pace with increasing development speeds.

Developers are many things: creative, intelligent, and human. Developers sometimes make mistakes. Those mistakes turn into vulnerabilities. Irrespective of whether your develop wrote the code or not, if it’s in your product, it is your problem. 

• Quality features. Outsourcing parts of your product to the experts often results in a quality output. For instance, car manufacturers rely on the specializations of our suppliers to build a quality vehicle. Similarly, if your organization wants to use the TLS protocol for securing communications, implementing the protocol yourself would be impractical and difficult. You must, first, hire developers who specialize in network communications and cryptography, then implement TLS, which is no easy feat. It is much faster and safer to use established third-party component, such as OpenSSL or MatrixSSL. 
• Free of cost. The benefits of open source software may seem too good to be true. It allows developers to release faster, without having to code features from scratch or pay for it! Developers are creative individuals who solve complex issues with code. They are not security engineers. They are not QA engineers. They are not lawyers. Open source code fulfills the criteria that must be met for them to effectively complete their work. 

Developers are many things: creative, intelligent, and human. Developers sometimes make mistakes. Those mistakes turn into vulnerabilities. Irrespective of whether your develop wrote the code or not, if it’s in your product, it is your problem.

In part two of the series, I will discuss some of the consequences of not analyzing open source. 

Download the complete white paper Build a Test and Evaluation Plan with Advanced Fuzz Testing.