Events , RSA Conference , RSA Conference Videos

The Vulnerable State of the Software Supply Chain

Brian Fox on the Progress Being Made With Software Supply Chain Management in 2023
Brian Fox, co-founder and CTO, Sonatype

The state of the software supply chain in 2023 continues to be "unacceptable," said Brian Fox, co-founder and CTO at Sonatype. Sounding alarm bells, Fox cited a Sonatype report that said organizations are using known vulnerable components in their applications 96% of the time and known Log4j vulnerabilities nearly 30% of the time.

Although the statistics are worrisome, some progress has been made within the open-source software ecosystem since the Log4j vulnerabilities were detected in 2021, Fox said. Regulations and policies by governments, including the national cybersecurity strategy in the United States and the European Union's Cyber Resiliency Act, have increased awareness and momentum - albeit slowly.

"Imagine if an auto manufacturer today was putting known flawed airbags into a new model of your car. That's what we're doing in software," Fox said. "Most organizations don't have a good understanding of the dependencies that they have in their entire stack. They lack the visibility. If the software industry would start making better choices and understanding where the parts are in their applications, these behaviors would start to change and we'd start to see meaningful difference."

In this video interview with Information Security Media Group at RSA Conference 2023, Fox also discusses:

  • The state of the software supply chain;
  • Gaps that need to be filled to arrive at the stage of mature software supply chain;
  • SBOMs and how they are driving the conversation.

Fox has open-source experience as a member of the Apache Software Foundation and former chair of the Apache Maven project. He has over 20 years of experience leading the development of software for organizations, ranging from startups to large enterprises.

About the Author

Anna Delaney

Anna Delaney

Director, Productions, ISMG

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.