Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Chainguard Unveils Speranza: A Novel Software Signing System
Jun 7th 2023 2:22pm, by
Speeding up Codecov Analysis for Xcode Projects
Jun 7th 2023 9:02am, by
Building StarCoder, an Open Source LLM Alternative
Jun 7th 2023 8:19am, by
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
DataStax Adds Vector Search to Astra DB on Google Cloud
Jun 7th 2023 10:07am, by
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
DataStax Adds Vector Search to Astra DB on Google Cloud
Jun 7th 2023 10:07am, by
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by
Building StarCoder, an Open Source LLM Alternative
Jun 7th 2023 8:19am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Chainguard Unveils Speranza: A Novel Software Signing System
Jun 7th 2023 2:22pm, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by Žilvinas Urbonas
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Enhance Kubernetes Scheduling for GPU-Heavy Apps with Node Templates
Jun 7th 2023 10:00am, by Žilvinas Urbonas
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Security

Get a Handle on Your Software Supply Chain

Organizations HAVE to Get Their Arms around Their Software Supply Chain — Here’s How to Do It.
Mar 8th, 2022 10:00am by
Featued image for: Get a Handle on Your Software Supply Chain
Feature image via Pixabay.

Jack Aboutboul
Jack Aboutboul is a long-time member of the Linux, open source, and free software community. He brings over 20 years of technology, community, and developer outreach expertise. His previous roles include Community Architect at Red Hat for Fedora and its associated projects, Developer Program Manager at open source eCommerce platform Magento, an early member of the Developer Evangelism team at cloud communications powerhouse Twilio, and CTO of Energizer’s Connect IoT platform. He is currently Community Manager for the popular CentOS replacement AlmaLinux. Jack is passionate about education, technology, open source, IoT and enabling developers to build the best, most secure software possible through great developer experiences.

The software deployed in your organization is probably the most critical piece of infrastructure powering operations and contributing to productivity. If a truck breaks down, logistics arrangements can be made. But if a critical piece of software becomes vulnerable, or even worse, is actively compromised, not only can the organization face devastating legal consequences, but operations may come to a total halt too. Welcome to 2022, where this is no longer fiction, but a reality that’s already been observed multiple times this year.

Let’s talk about two software consumption models, proprietary and open source. Traditionally, in the proprietary software consumption world, you know your vendor and place a great deal of trust in them (and rightfully so for the price) to ensure that your software is always functional, reliable and actively being maintained and patched for security vulnerabilities. The onus is always on them. 

In reality, that was only half true though. What runs on your infrastructure is ultimately your responsibility and no one else’s. The SolarWinds Hack drove that point home. Without a comprehensive information security plan in place throughout your organization and without constantly monitoring files, folders, infrastructure and applications — basically having eyes and ears detecting even the most seemingly benign activity — it turns out that you can only really trust your vendor as much as much as you trust yourself … and you shouldn’t be trusting yourself.

Fast forward to 2022, the world runs on Open Source software — that’s a fact. Gartner says that 95% of the IT enterprises across the globe use open source software for their mission-critical IT workloads and that number is growing everywhere, not just in IT enterprises. Linux and open source software also power a majority of the cloud. There is good reason for that too, mainly, the speed at which open source software innovates, due to the collaborative nature of its development.

One of open source software’s greatest strengths is postulated as Linus’ law — given enough eyeballs, all bugs are shallow. Someone is always looking, right? Wrong. Even with someone looking, it’s still possible to introduce extremely severe vulnerabilities, like Heartbleed and now Log4j/Log4Shell, that sneak in undetected. Those, however, were introduced by mistake and their root cause lay in the global characteristic of the open source development model where often a certain critical piece of code (or what ends up being one after a vulnerability is discovered) might have been contributed by a student or may be maintained by someone whose primary professional focus lays elsewhere. See xkcd #2347.

XKCD 2347

Organizations now have to address a more subtle and potentially more dangerous threat vector, the software supply chain attack. While the SolarWinds hack was done from without, there is also the prospect of such a compromise being done willfully, from within, by its own developer. Recently the developer of the widely-popular npm packages colors.js and faker.js, which are downloaded a collective 25 million times a week (yes, per week) decided to go on an activism bender, and purposely introduced changes breaking his software to get his point across.

His justification? “I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work.”

Even more, it is often comical how enterprises will reach out to random open source maintainers, with whom they have no relationship, demanding answers. Here is an example recently reported by Daniel Stenberg, maintainer of the popular cURL and libcurl open source packages.

What to Do About It All…

I propose that organizations shift their thinking to adjust to a new landscape. Stop thinking about software as a product you consume and start thinking about it as a process you are a part of. There is a chain here, and whether you like it or not, you are a link on that chain. You need to play your part to preserve the continuity of that chain.

That’s accomplished by recognizing and accepting your place in the chain. Is your organization purely a consumer of software or a producer of software? Are you relying on proprietary software or open source? It’s probably a mix of both.  Make sure you’re interacting with your proprietary software vendors, you’re paying them good money. They owe it to you. Use their established guidance on ensuring that their software is set up securely and then take further measures to harden your infrastructure. It is, after all, yours.

On the open source front, don’t just be a consumer. Your participation in strengthening the broader open source ecosystem is more vital now than ever before. Identify which open source projects and components are important to your organization and then engage with the community. There are several ways to engage, the easiest being to send any bugs you find upstream. Developers appreciate this immensely, more than you would know. It keeps the feedback loop open and helps them improve, what for many is a project of passion. 

Many open source projects also accept sponsors or some sort of donation. It’s not often much but it helps developers feel appreciated and maybe allows a bit of extra freedom. Speaking of appreciation, reach out to developers and let them know you are using their software and simply acknowledge their work. Many open source developers spend countless hours pouring their hearts and minds into their projects and receive no esteem, no notability and no regard. Often a simple “thank you” goes a long way.

Combine this new mindset with the classical approaches of infrastructure monitoring, vulnerability scanners, monitoring, logging and audit trails. Establish new policies, mirroring the president’s recent Executive Order making sure you’re either generating or being provided with a Software Bill of Materials (SBOM). Start implementing the cybersecurity principles in the recent memo on Moving Towards Zero Trust Cybersecurity.

This new mindset, coupled with classical approaches to cybersecurity, and keeping up with the latest guidance will ensure that your organization has a comprehensive strategy to shore up your digital defenses against the software supply chain for a long time to come.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
3 Frameworks for Role-Based Access Control 4 Factors to Consider When Choosing a Cloud Native App Platform Chainguard Unveils Speranza: A Novel Software Signing System Compiled Python Code Used in a New PyPI Attack How to Protect Containerized Workloads at Runtime
RELATED STORIES
AppSec 'Worst Practices' with Tanya Janca  Compiled Python Code Used in a New PyPI Attack PyPI Strives to Pull Itself Out of Trouble Tracy Ragan: My Favorite Open Source Security Projects Dev News: Trouble in npm, Vue 3.3 and Cloudflare Updates
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.