Modern Software: What's Really Inside?
As the cybersecurity industry approaches conference season, it's incredible to see members of the community eager to share their experiences. One might argue that the call-for-speakers process offers a deep and broad snapshot of what's on the collective minds of the entire cybersecurity ecosystem. One of the most intriguing topics of discussion observed in this year's "RSAC 2023 Call for Submissions Trends Report" was in and around open source, which has become more ubiquitous and less siloed than previously observed. Modern software has changed, and with it comes promise and perils.
Does Anyone Write Their Own Software Anymore?
Not surprisingly, cybersecurity professionals spend a lot of time talking about software — how it's assembled, tested, deployed, and patched. Software has a significant impact on every business, regardless of size or sector. Teams and practices have evolved as scale and complexity have increased. As a result, "Modern software is being assembled more than it's being written," says Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security; she is also an RSA Conference program committee member. That's not merely an opinion. Estimates of how much software across the industry includes open source components — code that is directly targeted in attacks small and large — range from 70% to nearly 100%, creating a huge, shifting attack surface to protect, and a critical area of focus for everyone's supply chain.
Assembly of code creates widespread dependencies — and transitive dependencies — as natural artifacts. These dependencies are far deeper than the actual code, and the teams that are incorporating it also need to better understand the processes used to run, test, and maintain it.
Nearly every organization today has an unavoidable reliance on open source code, which has driven the demand for better ways to assess risk, catalog use, track impact, and make informed decisions before, during, and after incorporating open source components into software stacks.
Building Trust and Components for Success
Open source isn't just a technology issue. Or a process issue. Or a people issue. It really stretches across everything, and developers, chief information security officers (CISOs), and policymakers all play a role. Transparency, collaboration, and communication across all of these groups are key to building critical trust.
One focal point for trust building is the software bill of materials (SBOM), which grew in popularity after President Biden's May 2021 executive order. We're starting to see tangible observations of quantifiable benefits from its implementation, including control and visibility of assets, more rapid response times to vulnerabilities, and overall better software life-cycle management. SBOM's traction seems to have spawned additional BOMs, among them DBOM (data), HBOM (hardware), PBOM (pipeline), and CBOM (cybersecurity). Time will tell whether the benefits outweigh the heavy duty of care put upon developers, but many are hopeful that the BOM movement could lead to a uniform way of thinking about and approaching a problem.
Additional policies and collaborations, including the Securing Open Source Software Act, Supply chain Levels for Software Artifacts (SLSA) framework, and NIST's Secure Software Development Framework (SSDF), seem to encourage the practices that have made open source so ubiquitous — the collective community working together with a goal of ensuring a secure-by-default software supply chain.
The overt focus on the "cons" around open source code and manipulation, attacks, and targeting of it has given birth to new efforts to mitigate associated risk, both with development processes and reports, as well as technology. Investments are being made to avoid ingesting malicious components in the first place. This introspection and real-life learnings around software development, software development life cycle (SDLC), and the supply chain as a whole are incredibly beneficial to the community at this stage.
In fact, open source can greatly benefit … open source! Developers rely on open source tools to integrate critical security controls as part of the continuous integration/continuous delivery (CI/CD) pipeline. Continued efforts to provide resources, such as the OpenSSF scorecard, with its promise of automated scoring, and the Open Source Software (OSS) Secure Supply Chain (SSC) Framework, a consumption-focused framework designed to protect developers against real-world OSS supply chain threats, are just two examples of promising activities that will support teams as they assemble software.
Open source has and will continue to change the software game. It has affected the way the world builds software. It has helped speed time to market. It has stimulated innovation and reduced development costs. Arguably, it's had a positive impact on security, but work remains to be done. And building a more secure world takes a village coming together to share ideas and best practices with the greater community.