The Shifting Landscape of Open Source Supply Chain Attacks – Part 3

Previous entries in this series: Part 1, Part 2

This series started with a discussion on how open source software has shifted software development to rely on a supply chain. And how existing supply chains respond, improve, and adapt to make mitigating and remediating unexpected issues easier.

In our second post, we looked at how the software supply chain has been under attack for nearly a decade. But while some attacks have stayed the same, others are evolving. We identified three key phases.

• The Zero Day
• The Supply Chain
• The Corporate Developer

In each phase, the attacker targets similar outcomes. However, approaches have expanded to include and, to some degree, concentrate on developer infrastructure and the developers themselves. The consequences of these attacks aren’t just financial; we can attribute cost and collateral damage as an actual risk to human lives.

When lives are on the line, the stakes are raised. It also presents a critical question and brings us to the focus of our third and final post: who’s responsible, and how do we minimize the impact on developer efficiency and speed?

Views on open source can be misguided

To understand current thinking, look to the introduction of items like the Executive Order here in the US and similar initiatives from governments worldwide. These have both engaged the media and raised awareness among organizations and consumers.

The results? A collective panic.

Without overstating the reaction, there has been an immediate over-rotation towards issues with open source and a perceived lack of funding. Many involved inappropriately think of open source volunteers as amateurs.

At present, you don’t need to travel far to hear chants of “the federal government must get involved and provide funding.” And in at least one overheard conversation at a holiday dinner table, (Read more...)