Home SecurityApplication Security 7 top software supply chain security tools

7 top software supply chain security tools

Source Link

As the fallout from the Apache Log4J vulnerabilities earlier this year shows, the biggest risks in enterprise software today are not necessarily with insecure code written directly by in-house software development teams. The flaws of the components, libraries and other open-source code that makes up the bulk of today’s software code bases are the underwater part of the insecurity iceberg.

The truth is that so much of the enterprise software and custom applications produced by DevOps teams and software engineering groups is not actually coded by their developers. Modern software today is modular. Developers use what is called a microservices architecture to make new applications by constructing them a lot like a Lego house—using blocks that are made of premade code. Rather than reinventing the wheel every time they need their application to perform a common function, developers root around in their proverbial box of blocks to find just the right one that will do what they need without a lot of fuss.

That box is today’s ever-expanding software supply chain, a sometimes very informal source of code that flows from the millions of GitHub repositories and open-source projects floating around online today. It consists of components and libraries used in myriad applications and in the underlying application and development infrastructure used to construct modern development pipelines.

Of course, the programs provided by this supply chain aren’t really bricks and they don’t always interlock perfectly, so developers create custom code to glue all those pieces together. In fact, many often then turn those creations into yet more open-source projects for others to solve similar problems. Which is one reason why the software supply chain keeps growing.

Applications built with third-party code

A modern application is mostly made up of third-party code. According to Forrester, the percentage of open-source code that makes up an average application’s code base rose from 36% in 2015 to 75% in 2020.

It’s a faster, more scalable way to quickly develop but like all technology innovation it comes with added cyber risk unless proper care is taken. It’s the dirty little secret of the development world that the components co-opted from today’s software supply chain can very easily be out of date and riddled with vulnerabilities. Making things even more complicated is the fact that that flaws are often nested together as different projects may have dependencies to others in the supply chain. Sometimes the flaws can even be purposely added by attackers who seed open-source software intentionally with vulnerabilities.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment