According to research from IDC, there has been a 241% increase year-over-year in supply chain attacks, but a new survey from JFrog had only 30% of respondents citing supply chain security as a top security concern.

The report also revealed disconnects between how leaders perceive the security of their organization versus the frontline software teams managing it. Ninety-two percent of executives believe their companies have tools to detect malicious open-source packages, compared to only 70% of developers. Similarly, 67% of executives think that code-level security scans are being regularly conducted, compared to only 41% of developers confirming they do this. 

There is a similar disconnect when it comes to AI/ML. Over 90% of executives said that their development teams were using ML models in their applications, but only 63% of developers say that’s true. 

And 88% of executives think that AI tools are being used for security scanning, but only 60% of DevSecOps teams say they are actually using AI-powered security tools. 

“The complexity of today’s software supply chain poses unprecedented risks. Despite leadership efforts to enable frontline teams with the right equipment, developers are struggling to improve efficiency and accelerate productivity due to tool sprawl, lengthy open source and ML model approvals, plus audit and compliance checks,” said Moran Ashkenazi, SVP & CISO, JFrog. “This discrepancy highlights the urgency for organizations to rethink their security strategies, focus more on AI/ML components, and align executives and doers on a mission to fortify their software supply chains.”

You may also like…

Companies still need to work on security fundamentals to win in the supply chain security fight

Developers, leaders disconnect on productivity, satisfaction

The post Report: Execs and devs have different perceptions around supply chain security, AI use appeared first on SD Times.

Featured Provider

HCLSoftware: HCL AppScan empowers developers, DevOps, and security teams with a suite of technologies to pinpoint application vulnerabilities for quick remediation in every phase of the software development lifecycle. HCL AppScan SCA (Software Composition Analysis) detects open-source packages, versions, licenses, and vulnerabilities, and provides an inventory of all of this data for comprehensive reporting.

See also: Companies still need to work on security fundamentals to win in the supply chain security fight

Other Providers

Anchore offers an enterprise version of its Syft open-source software bill of materials (SBOM) project, used to generate and track SBOMs across the development lifecycle. It also can continuously identify known and new vulnerabilities and security issues.

Aqua Security can help organizations protect all the links in their software supply chains to maintain code integrity and minimize attack surfaces. With Aqua, customers can secure the systems and processes used to build and deliver applications to production, while monitoring the security posture of DevOps tools to ensure that security controls put in place have not been averted.

ArmorCode‘s Application Security Posture Management (ASPM) Platform helps organizations unify visibility into their CI/CD posture and components from all of their SBOMs, prioritize supply chain vulnerabilities based on their impact in the environment, and find out if vulnerability advisories really affect the system.

Contrast Security: Contrast SCA focuses on real threats from open-source security risks and vulnerabilities in third-party components during runtime. Operating at runtime effectively reduces the occurrence of false positives often found with static SCA tools and prioritizes the remediation of vulnerabilities that present actual risks. The software can flag software supply chain risks by identifying potential instances of dependency confusion.

FOSSA provides an accurate and precise report of all code dependencies up to an unlimited depth; and can generate an SBOM for any prior version of software, not just the current one. The platform utilizes multiple techniques — beyond just analyzing manifest files — to produce an audit-grade component inventory.

GitLab helps secure the end-to-end software supply chain (including source, build, dependencies, and released artifacts), create an inventory of software used (software bill of materials), and apply necessary controls. GitLab can help track changes, implement necessary controls to protect what goes into production, and ensure adherence to license compliance and regulatory frameworks.

Mend.io: Mend’s SCA automatically generates an accurate and deeply comprehensive SBOM of all open source dependencies to help ensure software is secure and compliant. Mend SCA generates a call graph to determine if code reaches vulnerable functions, so developers can prioritize remediation based on actual risk.

Revenera provides ongoing risk assessment for license compliance issues and security threats. The solution can continuously assess risk across a portfolio of software applications and the supply chain. SBOM Insights supports the aggregation, ingestion, and reconciliation of SBOM data from various internal and external data sources, providing the needed insights to manage legal and security risk, deliver compliance artifacts, and secure the software supply chain.

Snyk can help developers understand and manage supply chain security, from enabling secure design to tracking dependencies to fixing vulnerabilities. Snyk provides the visibility, context, and control needed to work alongside developers on reducing application risk.

Sonatype can generate both CycloneDX and SPDX SBOM formats, import them from third-party software, and analyze them to pinpoint components, vulnerabilities, malware, and policy violations. Companies can prove their software’s security status easily with SBOM Manager, and share SBOMs and customized reports with customers, regulators, and certification bodies via the vendor portal.

Synopsys creates SBOMs automatically with Synopsys SCA. With the platform, users can import third-party SBOMs and evaluate for component risk, and generate SPDX and CycloneDX SBOMs containing open source, proprietary, and commercial dependencies.

Veracode Software Composition Analysis can continuously monitor software and its ecosystem to automate finding and remediating open-source vulnerabilities and license compliance risk. Veracode Container Security can prevent exploits to containers before runtime and provide actionable results that help developers remediate effectively.

Open Source Solutions

CycloneDX: The OWASP Foundation’s CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. Strategic direction of the specification is managed by the CycloneDX Core Working Group. CycloneDX is also backed by the Ecma International Technical Committee 54 (Software & System Transparency).

SPDX is a Linux Foundation open standard for sharing SBOMs and other important AI, data, and security references. It supports a range of risk management use cases and is a freely available international open standard (ISO/IEC 5692:2021).

Syft is a powerful and easy-to-use CLI tool and library for generating SBOMs for container images and filesystems. It also supports CycloneDX/SPDX and JSON format. Syft can be installed and run directly on the developer machine to generate SBOMs against software being developed locally or can be pointed at a filesystem. 

The post A guide to supply chain security tools appeared first on SD Times.

Black Duck Supply Chain Edition does software composition analysis (SCA) that makes use of a number of security analysis techniques to determine the components in a piece of software, such as package dependency, CodePrint, snippet, binary, and container analysis. 

Customers can import SBOMs of their third-party components and automatically catalog the components found within. It performs continuous risk analysis on both internal SBOMs and the SBOMs of third-party components. 

This also allows it to identify not just security issues, but issues with licenses of third-party components. This includes analyzing AI-generated code and detecting if any part of it might be subject to license requirements.

The tool also performs post-build analysis that can help detect malware or potentially unwanted applications. 

SBOMs can be exported in SPDX or CycloneDX formats, which makes it easier to meet customer, industry, or regulatory requirements, according to Synopsys. 

“With the rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components, it’s critical for organizations to understand and thoroughly scrutinize the composition of their software portfolios,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “This requires constant vigilance over the patchwork of software dependencies that get pulled in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy applications. It also requires the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets, and malicious code.”

The post Synopsys hopes to mitigate upstream risks in software supply chains with new SCA tool appeared first on SD Times.

These are the areas where this emerging technology has garnered the most popularity over the years, but blockchain as a technical concept can be applied in many different ways, and it has uses in the enterprise, particularly when it comes to supply chain management. 

“There’s — less so now — I think a conflation of Bitcoin and cryptocurrencies and blockchain that’s becoming better over the years that I’ve been engaging in it,” said Cindy Vestergaard, VP of special projects and external relations at blockhain API company RKVST. “What is less known is that actually a couple of months before the Bitcoin whitepaper was that Estonia was already looking at distributed ledger technology (DLT) for securing services among its citizens and protecting its citizens’ data. So while Bitcoin gets all the popularity, it’s actually the enterprise, if you will, or the permissioned DLT platforms that were already starting to move at that time, and then obviously, in parallel as well.”

She also noted that blockchain is just one type of DLT, but it has become so associated with cryptocurrency that many people have this association in their head. But there are many types of DLT other than what is used in cryptocurrency. 

According to Martha Bennett, VP, principal analyst at Forrester, there are two major types of blockchain: permissioned and permissionless. Permissionless, or public, blockchain is the type that cryptocurrencies run on. Permissioned blockchains are what people are talking about when they talk about enterprise blockchain. 

Bennett said that even NFTs have their place in the enterprise, at least as a technical concept. In essence, all an NFT is is a representation of an asset, which makes it really great when it comes to supply chains. 

“[Blockchain] can be useful in any situation where you’ve got multiple parties involved and where it’s important that everybody has the same version of the data, and that there is a reasonable guarantee that nobody has messed with that data, falsified the data,” she said.

Of course, this can also be accomplished without needing a blockchain, she noted. A reason one might want to use a blockchain, however, would be if you want a different governance model besides the one in which a single party is in charge, or if you want to make use of smart contracts, which are essentially automated business rules. 

An example of this data verification that Vestergaard shared is determining whether photos are authentic and original.  

“Let’s say, I take a snapshot of you right now, Jenna, but I removed your glasses. In another picture, I tried to superimpose that and it won’t let me do it. Because it’s not the original, and it doesn’t have that original hash.”

She explained that this can also be used for files. “It could be used for anything that has data that follows it wherever it goes and needs to be immutable, secured and shared,” Vestergaard said.

However, according to Bennett, it’s a misconception that blockchains are by definition more secure. “The blockchain will only preserve the data that’s fed into it,” she said. “If the data is fraudulent, all the goods associated with the data have been tampered with. No blockchain can help with that.”

For example, this has been something that has come up in the luxury goods industry. “If the goods are actually fake at the point they enter the supply chain, or if the fake bags are made by the same factory as your real bags, then how do you tell a fake from the real goods?”

RELATED CONTENT: Blockchain and the promise of better electronic health records 

What about Web3?

In addition to supply chain, one of the other use cases for blockchain that gets brought up frequently is Web3, which is an overhaul of the internet that would make it decentralized and blockchain-based.

The Web3 Foundation is a non-profit organization aimed at driving this initiative. Its goals for Web3 are an internet where:

• Users own their data
• Digital transactions are secure
• Online exchanges of information and value are decentralized

However, the idea is still in its early stages, and if it takes hold, it’ll likely be a while before we’re there.

“The current environment is dominated by speculators,” Martha Bennett, VP, principal analyst at Forrester, said in an episode of the research firm’s “What it Means” podcast. “Sadly, some of the more worthy endeavors get drowned out or even hijacked by the more scammy elements in the environment.”

Another analyst firm, Gartner, also predicts Web3 won’t overtake Web 2.0 (the current web) by the end of the decade. 

“Web3 innovations will take the internet into new realms and give rise to applications not previously possible,” said Avivah Litan, distinguished VP analyst at Gartner. “But Web 2.0 still has advantages in terms of scale, customer service and customer protections. Potential Web3 risks include lack of customer protections, new security threats and a swing back to centralized control, so organizations will want to shore up governance and risk management before replacing Web 2.0 applications.”

Is blockchain overhyped?

According to Bennett, outside of the financial services sector, “we are still not at the point where we can confidently say that blockchain really is delivering the business value that people are looking for, simply because it is incredibly difficult to actually set up a blockchain network that at the end of the day really needs all those blockchain features,” she said. 

Stack Overflow recently conducted a survey to find out what new technologies made it past what Gartner refers to as the hype cycle. Many new technologies can stir up excitement in the industry, but not all will actually see widespread adoption. 

They ranked technologies on a scale of experimental to proven and positive to negative impact.

On a scale from zero (experimental) to 10 (proven), blockchain technology came in towards the middle at 4.8. And on a scale from zero (negative impact) to 10 (positive impact), it received a score of 5.3.  

Another survey by Foundry echoes these sentiments. It found that 51% of respondents were not interested in adopting blockchain technology within their organization. 

Compared to previous years that the survey has been conducted, interest has not really improved. In 2020, 39% of respondents said they were researching the technology and in 2021 that had dropped to 34%. In this year’s survey, only 25% of respondents were researching it. 

Successful blockchain implementations in the enterprise

Yet, there have been some successes in the technology’s use. For example, Walmart has experimented with blockchain technology to enable food traceability.

According to a case study it published, in 2016 the vice president of food safety asked his team to trace a package of sliced mangoes to their source. They were able to do it, but it took them 6 days and 18 hours to track it down. 

Then, the company partnered with IBM to create a food traceability system based on the Linux Foundation’s Hyperledger Fabric. The result? Now they could trace their mangoes in just 2.2 seconds. 

They then used that same technology to trace pork in China and now have blockchain partnerships with several big food companies, including Dole, McCormick, Nestlé, Tyson Foods, and Unilever. As of 2018, it was possible for the company to trace more than 25 food products from as many as five different suppliers. 

“The system was so efficient that one could take a jar of a product or a salad box and trace the ingredients back to the farms from where they were harvested,” Walmart claimed. 

You may recall that back in 2018 there was an outbreak of E. coli in romaine lettuce from a farm in California that ended up affecting over 17 states. At the time, many stores pulled all of their romaine lettuce off the shelves out of caution because they weren’t able to quickly identify the source. 

Before Walmart had implemented some of these new initiatives, it would have taken days to trace the lettuce to the source, but now that they can access that information in a matter of seconds they can ensure that what’s on the shelves is safe.

“For public health and safety, this [blockchain program] obviously creates a lot more confidence in the ability to track and locate if there are any disease outbreaks among farms where it came from once it’s been identified,” said Vestergaard.

Another example Vestergaard highlighted is the diamond company De Beers. One huge problem with the diamond industry is that many diamonds are mined in war zones and then sold to fund military efforts, resulting in the name “blood diamonds.” Historically, it has been hard to trace the origin of diamonds, so you could never tell if you were getting a blood diamond or one harvested more ethically. 

In 2022, De Beers introduced its Tracr blockchain platform, which enables tracing of diamonds from their source, as well as all stops in the supply chain.

“De Beers discovers diamonds with our partners in Botswana, Canada, Namibia and South Africa and, with our long-term investment in Tracr, we are proud to join with our Sightholders to provide the industry with immutable diamond source assurance at scale,” said Bruce Cleaver, CEO of De Beers Group. “Tracr, which will enable the provision of provenance information from source to Sightholder to store on a secure blockchain, will underpin confidence in natural diamonds and represents the first step in a technological transformation that will enhance standards and raise expectations of what we are capable of providing to our end clients.”

The environmental impact

One of the big criticisms of blockchain technology is the detrimental impact on the environment. Particularly during the Bitcoin mining craze, people were running their computers to the max and driving up their electric bills. The profit from mining may have paid for the increased electric bill, but what about the environmental impact of that mining?

President Biden even commissioned a report on the environmental impact of “crypto-assets,” which are assets based on DLT. The report, which was published last year, found that from 2018 to 2022 electricity usage from these crypto-assets grew rapidly and in 2022, the published estimates for energy usage ranged from 120 to 240 kilowatt-hours per year. According to the White House, this is more than the total electricity usage for many companies and makes up about 0.4% to 0.9% of total global electricity usage. 

The report clarified that most of the environmental impact does come from consensus mechanisms, which are used in mining and verifying assets. The dominant mechanism for energy consumption was Proof of Work (PoW), which at the time of the report was used by both the Bitcoin and Ethereum blockchains. 

According to the White House, the PoW mechanism uses a lot of electricity by design. “The PoW mechanism is designed to require more computing power as more entities attempt to validate transactions for coin rewards, and this feature helps disincentivize malicious actors from attacking the network,” the White House wrote in a statement. 

However, PoW is just one option, and there are other less energy-intensive DLT technologies and consensus mechanisms out there, such as Proof of Stake. By switching, it is estimated that energy usage could be reduced to less than 1% of today’s current levels. 

For example, the Ethereum network has since begun to migrate to a Proof of Stake blockchain and this has reduced its energy consumption by about 99.95%.

The overpromise of blockchain technology

Bennett explained that while there have been some very successful implementations, there’s not a lot of examples of follow-on projects. 

“When I see a project is hugely successful, and everybody talks up the benefits — which I do not doubt, by the way, I wouldn’t accuse people of lying about the benefits they’ve achieved — and then nobody else does the same thing,” said Bennett. “That either means that they’re being economical with the truth about how much it costs to run, or how much effort was involved in setting it up. Or that there are some quite unique circumstances associated with a particular company or a particular ecosystem that just lent itself to putting something on a blockchain.”

There have also been a number of bankruptcies with blockchain companies over the past year. For example, the crypto exchange FTX collapsed and the CEO, Sam Bankman-Fried, was arrested on multiple charges, including wire fraud and defrauding investors. 

“Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here,” said John Ray, who was brought on to replace Bankman-Fried after the arrest. 

This has been a very public failure, but it’s not the only one.  Other companies that went under include BlockFi, 3AC, Marco Polo, We.trade, B3i, and TradeLens, an open and neutral supply chain industry platform solution underpinned by blockchain technology.

According to Bennett, one of the main reasons TradeLens shut down was because it was in “an ecosystem that’s dominated by one of the largest shippers in the world around data sharing.”

She continued:  “You can see the reluctance of competitors wanting to join that, which reduces the attraction for port operators to join as well. And also, it’s back to how do you want that ecosystem to run? Because TradeLens was always meant to be in some way for profit. And where does that come from? How do you charge for transactions? What do people want to pay? Nobody has really come up with a workable recipe there yet.”

According to Bennett, when hearing about the benefits of any new technology, it’s important to remember that company goals are not really about the technology, it’s about what you want to do. If you have a clear vision, you can work backwards from that end goal.

She sees that a lot of digitization initiatives are becoming co-mingled with blockchain. But a lot of the benefits companies see are from the digitization itself, not putting those digital assets on a blockchain.

“Just for digitizing paper, you don’t need a blockchain, but you still need everybody to accept the digital format of what previously was physical,” said Bennett. “And then if all you do is digitize a PDF file, and then send that around, you save some time clearly because a PDF file is quicker than the mail between Africa and the United States. But they also have a limit to the benefits from digitization too. My message here would be really think about what it takes to digitize before you think about the technology that you use to do it is.”

The post How does blockchain fit into today’s enterprise? appeared first on SD Times.

The most severe attacks occur on a “Zero Day,” which refers to vulnerabilities that have been discovered without any available patch or fix, according to William Manning, solution architect at DevOps platform provider JFrog, in an ITOps Times Live! on-demand webinar “Zero Day doesn’t mean Zero hope – Fast detection / Fast remediation.”

These types of vulnerabilities can severely impact a company’s reputation, credibility, and financial stability, and there are three variations of Zero Day attacks that can occur: vulnerabilities, exploits, and attacks. For example, an attacker can use a zero-day exploit to gain initial access to a system and then use a software supply chain attack to install a persistent back door or malware on the compromised system.

The time it takes for organizations to recognize these attacks has also gone up from 12 days in 2020 to 42 days in 2021, according to Manning. Managing the blast radius to lower the mean time to remediation (MTTR) is one of the first steps that an organization should take. 

“One of the things, whenever I discuss this with customers, is how do you know not only what’s affected, but when it was affected, and how long you’ve been affected? And what else it’s affected?” Manning said. “When you find something, what’s the blast radius of affecting your organization in terms of software development, and knowing that 80% of the public exploits that are out there are actually done before a CVE is even published.” 

Managing zero-day vulnerabilities that can prevent these software supply chain attacks can also be a time-consuming process. That’s why organizations have to strike a delicate balance, according to Manning.

“Developers are artists in what they do and their palette and medium that they use to express themselves is of course the code that they produce, but that also includes the actual transitive dependencies, both direct and indirect,” Manning said. “You want to be able to go ahead and make sure that they’re building safe software for your company for things like reputation and revenue, but you don’t want to hinder the software developer’s ability to do what they do.” 

Be sure to check out this webinar to learn more about how to use the JFrog Platform to combat potential threats within the organization throughout the whole SDLC through front-line defense, identifying the blast radius, using JIRA and Slack integrations, and more.

The post Most severe supply chain attacks occur due to third-party dependencies appeared first on SD Times.

Nexus Lifecycle and Nexus Firewall can now be deployed in the cloud, which enables companies to get up and running with these offerings faster, with enterprise-grade security baked in. It eliminates the need to manage infrastructure, while still getting the benefit of being able to protect the supply chain. 

According to Sonatype’s State of the Software Supply Chain report, there has been an average annual increase in supply chain attacks of 742% per year for the past three years. This makes getting a supply chain security solution up and running quickly more important than ever. 

“There has never been a greater need for the ability to detect code quality and implement security at the point of creation. Sonatype is answering that need and more, allowing developers, engineering teams, and enterprises to build software fearlessly in the environment that best works for them,” said Mitchell Johnson, chief product development officer at Sonatype. 

In addition to faster deployments and scalability, companies can save money by avoiding paying for physical space or resources they don’t need. Configurable APIs also make it easy to connect these solutions with your existing tools. 

The post Sonatype’s OSS security offerings can now be deployed in the cloud appeared first on SD Times.

The guide covers aspects of security such as how to develop secure code, how to verify third-party components, and how to harden the build environment, among other things. It’s also part of the government’s effort to bolster supply chain security stemming from last year’s Executive Order, which aims to curb the 650% growth in supply chain attacks, according to Sonatype’s 2021 State of the Software Supply Chain.

The guide encourages developers to take regular and relevant security training and that they should be evaluated periodically, at least annually. The security training for the development team is ideally conducted by a centralized, expert security team that can help product teams grow their expertise in secure development. 

One issue Wheeler finds is that the report assumes that all software is developed by large software development teams, but the reality is that it’s not true for all industries.

“They’re making all these assumptions about multiple reviews on large teams. And that’s assuming that there’s some sort of internal computer network,” Wheeler said. “For a lot of organizations, that doesn’t exist. And in fact, it’s moved towards zero trust to move away from trust in an internal network. And so they’re kind of making old school assumptions or whatever they get old, you’ll see that again, and again, they are making some really unreasonable development environment requirements.” 

Wheeler said that there also seems to be a lack of understanding about open-source security (OSS).

“The term commercial item by definition includes open-source software, and yet they talk about commercial as though it’s not the same as open source software,” Wheeler said. 

Lastly, there doesn’t seem to be any adequate industry interaction or public review for a draft during the creation of the guidance, according to Wheeler. 

“Most software expertise is outside the U.S. government, not in it, as that’s where most software development is today. The document has many other problems, which in part stem from inadequate public review,” Wheeler said. 

Wheeler is adamant that the education system and software supply chain needs to do better in teaching developers the basic fundamentals of designing software with security in mind, and welcomes the fact that the guide provides some guidance targeted at developers. 

“Historically, the U.S. government is kind of famous for spending a lot of effort on trying to configure insecure software and somehow magically transform it into secure software. That hasn’t worked,” Wheeler said. “With this, I’m really glad that they’re putting in guidance for developers.” 

Wheeler appreciates that the guide is encouraging developers to use design principles from the Saltzer & Schroeder list, that have withstood the test of time.  The Saltzer & Schroeder list is a set of eight design principles for secure computer systems. The principles are named after their creators, Jerome H. Saltzer and Michael D. Schroeder, who published them in 1974.

He added that developers should at least know what the most common kinds of vulnerabilities are, including the CWE Top 25 and OWASP Top 10, and know the major kinds of security tools and how to apply them. Developers should know that they need to do “negative testing” and to understand the importance of high-coverage automated testing.

They should also know how to evaluate OSS, how to use tools like package managers to automate their management. Lastly, they should focus on protecting their environments and to start using MFA tokens that stop many attacks.

The post NSA’s and CISA’s recent security guidance: The good and the bad appeared first on SD Times.

The rise in software supply chain attacks, like the SolarWinds hack, prompted last year’s executive order requiring vendors to provide a software bill of materials (SBOM). This software “ingredients list” can help security teams understand if a newly disclosed vulnerability impacts them. However, industry experts caution that it isn’t comprehensive enough to prevent attacks or address the challenges of securing today’s dynamic software supply chains.

“The introduction of SBOM is an important step, however, it isn’t sufficient to ensure the security and integrity of software supply chains,” said Admiral Mike Rogers, former director of the NSA. “Recent high-profile breaches — like those that affected SolarWinds, Codecov and  Log4j — could not have been detected or prevented with the static list of software components contained in an SBOM. There’s a real risk of providing a false sense of protection by having a standard for compliance that does not equate to security.”

To address these issues, OX is developing a new open standard, PBOM, in collaboration with leading cybersecurity-conscious companies. The Pipeline Bill of Materials (PBOM) includes within it the SBOM but goes further, covering not only the code in the final product but also the procedures and processes that impacted the software throughout its development. OX and its partners undertook extensive research on the root causes of more than 70 attacks from the past year. They specifically designed the PBOM to contain the information that would have been needed to prevent each of the recent attacks.

OX’s platform is the first product using the PBOM standard to provide end-to-end software supply chain security, allowing it to cover every step of the development pipeline, from the earliest planning stages until deployment to production. OX seamlessly integrates with existing tools and infrastructure to monitor and record every action affecting software throughout the entire development lifecycle. It gives security and DevOps teams complete visibility and control over the attack surface, including source code, pipeline, artifacts, container images, runtime assets, and applications.

“Developers and DevOps make constant changes to the software supply chain, adding new tools, open source components and SaaS services,” said Neatsun Ziv, OX’s CEO and co-founder. “The OX platform gives DevSecOps teams real-time, end-to-end visibility into all aspects that impact software through the entire pipeline, so they have the necessary context and control to ensure security.”

OX connects to an organization’s code repository and performs a scan of the environment from code to cloud, to automatically produce a full mapping of assets, apps and pipelines. OX identifies which security tools are in use, verifies they’re all connected and operational, and determines if additional tools are necessary. Following the scan, OX presents any security issues that were found, prioritized by their business impact, alongside context, automated fixes and recommendations, empowering DevSecOps teams to tackle their cybersecurity backlog. A PBOM, which includes an SBOM, version lineage, SaaSBOM, build hashes and more, can be automatically generated and shared with internal stakeholders or customers, so they in turn can verify that the software they use is derived from trusted, secure builds.

“Ox Security is tackling a critical challenge facing companies today, and are uniquely positioned to become leaders in their space,” said Nadav Zafrir, Managing Partner at Team8 Group and former head of Israel’s elite intelligence Unit 8200. “We are thrilled to join forces with Neatsun and Lior. The ground-breaking PBOM standard enables OX’s platform to provide unparalleled security coverage and I have no doubt that PBOM will be widely adopted across the industry.”

Additional quotes:

“Supply chain attacks are on the rise, and the attack surface is growing,” said Mony Hassid, Managing Partner at M12, Microsoft’s venture fund. “When it comes to software security and integrity, you have to look beyond which components were used and consider the overall security posture throughout the development process. Ox Security is pioneering a standard that will be transformative for supply chain security. We’re proud to work with OX to improve software security.”

“The cybersecurity industry has been playing catch-up so far by pursuing a never-ending process of patching production environments and chasing alerts, issues and fixes,” said Karthik Subramanian, General Partner at Evolution Equity Partners. “OX’s groundbreaking approach brings control back to DevSecOps teams by providing visibility and complete control over an organization’s code. The level of innovation in OX’s platform is truly remarkable and provides value to everyone in an organization — from developers to DevSecOps teams to executives.”

“I believe the PBOM standard will reverse the tide,” said Mario Duarte, Vice-President of Security at Snowflake. “I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

“OX is truly changing how software supply chains are protected, ensuring that all code comes from secure and trusted builds,” said Naor Penso, Senior Director of Product Security at leading applied analytics company FICO. “The OX platform prevents software supply chain attacks while accelerating and streamlining development. The PBOM framework created by OX, expands the traditional SBOM with contextual knowledge and true end-to-end lineage that drives assurance in software security across its entire life-cycle.

The post Ox Security emerges from stealth with $34M to provide end-to-end software supply chain security appeared first on SD Times.

In an SD Times Live! Event titled “Threat Landscapes: An Upstream and Downstream Moving Target,” Theresa Mammarella, developer advocate at Sonatype, explained how companies can stay vigilant and be prepared for these malicious attacks. 

“It becomes harder and harder as there’s more and more layers of software building on top of each other to actually know what’s in these applications,” she explained. For example, you could be using Kubernetes, and that project could be pulling in code from thousands of other projects that you might not even know about. Mammarella labels these as “transitive dependencies.” 

According to her, there are three main attack points in a software supply chain. The first is upstream, which involves downloading open-source or third-party componentss. The NPM attack is one example of an upstream attack.

The second is midstream, where an attack takes place somewhere in the development life cycle. An example of this is the Log4j exploit.

And third is downstream, which is when an attack takes place within the deployed application. 

“So upstream, midstream, and downstream, this all makes me think of a river,” Mammarella explained. “And there is a good reason for that. Niagara Falls, think about it, the water that is upstream moves faster and spreads more widely than does the water in the midstream or the downstream of a river or waterfall. And those upstream attacks can have the most impact on software supply chains.”

According to Mammarella, of the millions of repositories on GitHub, many of those projects get distributed to hundreds of thousands or even millions of companies. The most popular ones often get targeted the most because they have the most number of downloads and thus are more attractive to attackers.

To learn more about how to protect your software supply chain, watch the recording of the event. 

The post Threat landscapes: An upstream and downstream moving target appeared first on SD Times.

Given the widespread impact of the vulnerability of this package, it sparked a renewal of the conversation into supply chain security. 

According to Javier Perez, chief evangelist for Open Source & API Management at OpenLogic by Perforce, a software supply chain is all of the components that exist in a piece of software, including any dependencies. Supply chain security is this notion that if one piece in your supply chain is vulnerable, the whole thing is vulnerable. 

With Log4j, this meant that any company that used a piece of software that used Log4j was vulnerable, even if they themselves weren’t directly using the package. 

It’s not just Log4j that companies need to fear. According to Sonatype’s 2021 State of the Software Supply Chain report, 29% of the most popular open-source projects contain known vulnerabilities. 

The report also contained the daunting stat that there was a 650% year-over-year increase in supply chain attacks in 2021. “Members of the world’s open-source community are facing a novel and rapidly expanding threat that has nothing to do with passive adversaries exploiting known vulnerabilities in the wild — and everything to do with aggressive attackers implanting malware directly into open-source projects to infiltrate the commercial supply chain,” Sonatype wrote in its report. 

Despite these threats of supply chain attacks, open source is thriving more than ever and most people tend to trust it more than proprietary or commercial software. Red Hat’s 2022 State of Enterprise Open Source report found that 89% of IT leaders think enterprise open source is either as secure or more secure than proprietary software. 

The top reasons to love (or hate) open source

In OpenLogic by Perforce’s 2022 State of Open Source report, the company asked respondents why they choose open-source software and then compiled a top five list.

According to the report, the top five reasons companies are turning to open-source software are:

1. Access to the latest technologies 
2. No license cost, or overall cost reduction
3. Enables modernization of their technology stack
4. There are many options
5. Constant releases and patches

“Most, if not all, the innovation is happening in the open and open-source software,” said Perez. 

However, the report also gathered the top four reservations companies have when it comes to adopting open-source software. These include:

1. Lack of in-house skills to test, use, integrate, or support the technology
2. Restrictions of some open-source licenses
3. It doesn’t scale as well as proprietary software
4. Lack of real-time support

Fortunately, these reservations can be addressed by leveraging enterprise open source rather than trying to go it alone. 

What is enterprise open source?

Enterprise open source is a category of open-source software in which a company offers support for a specific project. 

Red Hat technology evangelist Gordon Haff says: “The way our CEO, Paul Cormier likes to describe it is it’s enterprise software developed using an open-source development model. You get the benefits of an open-source development model where you’ve got different organizations cooperating on doing development. So you get that advantage of the open-source development model, but at the same time customers can treat it — I wouldn’t say they can treat it as proprietary software — but they get the same kind of support process, testing process, and so forth that they would hopefully get from any software.”

Adding to this, in a blog post from Red Hat: “To be what we’d call enterprise open source, a product requires testing, performance tuning, and be proactively examined for security flaws. It needs to have a security team that stands behind it, and processes for responding to new security vulnerabilities and notifying users about security issues and how to remediate them.”

According to Perez, there are a number of ways to commercialize an open-source project, but the most common one today is through the open-core model. In an open-core model, a company takes an open-source project and then adds functionality on top of it.

Perez explained that commercialization of open-source software has been particularly successful in the database space. 

Another example is Kubernetes, for which there are hundreds of companies that offer products built around Kubernetes.  “There are a lot of people out there for whom a managed Kubernetes service [makes sense]. They don’t want to have to hire a bunch of SREs to operate Kubernetes,” said Haff. 

Security and enterprise open source

While security isn’t necessarily the only draw for enterprise open source, Red Hat’s survey shows that customers value it for a number of reasons relating to security. 

• 52% like that security patches are well-documented
• 55% like being able to use well-tested open-source code in their applications
• 51% value that vulnerability patches are made available quickly
• 44% appreciate that there are more people reviewing and testing the open-source code
• 38% like being able to audit the code, which isn’t something they’d have access to if purchasing a proprietary solution. 

According to Haff, when they started the survey four years ago, the number one benefit of enterprise open source was lower cost of ownership, but steadily over time attributes like security and high-quality software topped the list of benefits. 

“I think in general, people are just seeing that open source and enterprise open source is just  better software than proprietary,” said Haff. 

However, Haff did emphasize that security is still the responsibility of the company, not the software provider. Even though these enterprise open source vendors might be providing quick patches to vulnerabilities, the companies still need to have the processes in place to apply those patches and also to know what software they have in their stack.

Companies still need in-house skills 

OpenLogic’s 2022 State of Open Source report found that 41% of respondents struggle to keep up with patches on open-source infrastructure projects. 

According to Perez, a reason for this is not that companies don’t have enough people on staff to manage this, but that the people they do have are inexperienced. 

“[In the report] we also ask what were some of the barriers or concerns for you to adopt more open-source technologies? And the number one answer was the lack of access to skills, the expertise or the proficiency to do so,” said Perez. “Many people want to, for example, make more use of cloud native, more use of containers, more use of Kubernetes. And, they don’t do it just because they don’t have the skills, or don’t have the people with the proficiency and expertise to do it.”

Buying commercial software doesn’t really solve this issue, according to Perez. Sure, a company might be able to pay a little extra to get additional services or consulting, but “the ability to have someone to call, someone to assist on the configuration, that’s the other piece,” said Perez. “One thing is just keeping up with the patches, but the other piece is how do you properly configure the software, especially at a larger scale? And when companies are scaling up they need more software infrastructure? How do they configure it? How do they architect that and that’s where the need for skills becomes much more important. And that’s a fact. I mean, there are 1000s and 1000s of job openings right now for open-source skills.”

Haff reemphasized this need for companies to still have in-house skills to take advantage of the frequent patches that an enterprise open source vendor would provide. 

“They do need to have processes in place,” said Haff. “And even if they’re buying enterprise open source software where there are patches made available rapidly, they still need to have the processes to apply those patches and to know what the software they have is out there. So you know, just because you’re using enterprise open source, or for that matter, just because you’re using Microsoft Windows, doesn’t mean you can go ‘oh, my vendor is taking care of security for me and I don’t need to think about it.’ Obviously that’s not the case.”

How to pick an enterprise open source vendor

The more popular projects likely have several different companies to choose from, with varying levels of support. Going back to the example of Kubernetes, there are fairly vanilla options for Kubernetes or there are options where things like monitoring, logging, CI/CD, distributed tracing, and other development tools are integrated into the platform, according to Haff. 

“So if you try and do it yourself, there’s an awful lot of integration there. And really, Kubernetes itself is just the start of the story,” he said.

Haff says there are two main questions to ask when looking at solutions. First, do you want to have it on premises? And why is that? The second question would be what sort of skills are there in-house? 

According to Haff, Red Hat finds that a lot of people who are struggling to adopt containers are struggling because of development staff or resources not being sufficient for their needs. 

“Ultimately, if you’re going to be running Kubernetes clusters on prem, you’re gonna need some level of SREs and other people that I know how to do that,” he said. 

The post Enterprise open source and the security of the software supply chain appeared first on SD Times.