The Vulnerable State of the Software Supply ChainBrian Fox on the Progress Being Made With Software Supply Chain Management in 2023
The state of the software supply chain in 2023 continues to be "unacceptable," said Brian Fox, co-founder and CTO at Sonatype. Sounding alarm bells, Fox cited a Sonatype report that said organizations are using known vulnerable components in their applications 96% of the time and known Log4j vulnerabilities nearly 30% of the time.
Although the statistics are worrisome, some progress has been made within the open-source software ecosystem since the Log4j vulnerabilities were detected in 2021, Fox said. Regulations and policies by governments, including the national cybersecurity strategy in the United States and the European Union's Cyber Resiliency Act, have increased awareness and momentum - albeit slowly.
"Imagine if an auto manufacturer today was putting known flawed airbags into a new model of your car. That's what we're doing in software," Fox said. "Most organizations don't have a good understanding of the dependencies that they have in their entire stack. They lack the visibility. If the software industry would start making better choices and understanding where the parts are in their applications, these behaviors would start to change and we'd start to see meaningful difference."
In this video interview with Information Security Media Group at RSA Conference 2023, Fox also discusses:
- The state of the software supply chain;
- Gaps that need to be filled to arrive at the stage of mature software supply chain;
- SBOMs and how they are driving the conversation.
Fox has open-source experience as a member of the Apache Software Foundation and former chair of the Apache Maven project. He has over 20 years of experience leading the development of software for organizations, ranging from startups to large enterprises.