Gartner recently published research about the enterprise IT supply chain and impending threats that should encourage organizations to act. An overview of the research is available on Help Net Security: "Enterprise IT supply chains will be compromised". The title sounds ominous, but it's a good read that advises organizations to take a holistic approach to protecting the IT supply chain. We were happy to see that Neil MacDonald and Ray Valdes from Gartner cite research that Sonatype did with Aspect Security; research on open source software (OSS) downloads and how component vulnerability can impact the health of the IT supply chain.
Gartner's take is in line with how Sonatype sees the world. In the remainder of this post we'll address aspects that are particularly interesting and offer initial considerations about how to optimize the IT supply chain.
The New Reality
- IT Supply Chain = Complexity: The IT supply chain is highly complicated. Consider these words or phrases: distributed, complex, component based, internally & externally sourced, combination of hardware & software. And think about the job responsibilities necessary to effectively manage an IT supply chain. The number of roles necessary to gather requirements, design, develop, test, deploy, monitor, maintain software and it's related infrastructure is indicative of the IT supply chain complexity. As far as trust goes, complexity increases the likelihood of application issues and the number of threat vectors that can be manipulated to hinder the IT supply chain.
- Software is the critical link: Hardware, networking and other physical assets are a critical part of the IT supply chain; but you could argue that software is the key link. Hardware and networking has become standardized and commoditized, making that aspect of the IT supply chain easier to manage. We are also seeing hardware intelligence move into the software layer, providing greater agility and flexibility while placing more pressure on the software. At the same time, developers struggle to keep up with the requirements from their business constituents. Add to this the heightened expectations driven by the consumer-ization of technology and you can see how important software has become to the IT supply chain.
- It's about the extended IT supply chain: Open source, cloud, outsourcing, service-based architecture, re-useable components, partners, customer facing applications, etc… these are a few concepts that are driving the notion of an extended IT supply chain. Most of us probably can't even remember the days where applications were solely developed internally, deployed on-premise and limited to internal usage. Software development now involves outsourcing - including the entire project or portions of the development process. Software developed in-house is often compromised of open-source components sourced from public repositories like the Central Repository. Software is deployed on heterogeneous systems, and internal or on-premise deployments are more distributed than ever. Deployment has moved beyond the organizational walls to the cloud, or to some other hosted source. And it's not just how applications are developed or where they are deployed - the usage of software has extended the supply chain. In addition to internal users, software is used by subsidiaries, partners and by customers - this is a simple necessity in today's business climate.
- Collaboration is typically lacking: It takes a large number of diverse roles to manage the IT supply chain. It's not just about development - you have business analysts or product managers in the software world, architects, DBAs, developers, testers, build engineers, project managers, IT Ops, security professionals, IT procurement, etc. We don't have time to address each role today, but it's important to contemplate how the natural tension between these constituents can impact the efficiency of the supply chain. Let's take a look at developers and IT Ops. Developers are incentivized to deliver application functionality as quickly as possible. IT Ops is about controlled deployment and highly reliable and maintainable production applications. If this balance isn't managed effectively, the IT supply chain will suffer.
Some Initial Recommendations
We'll continue to cover this topic in future blog posts but here are some initial recommendations or considerations for securing the software aspect of your IT supply chain:
- Think about the entire lifecycle - it's not easy, but if you can think about the entire IT software lifecycle - design, develop, build, test, deploy and maintain, you'll mitigate risk and increase the efficiency of your IT lifecycle.
- Think about all your applications - it's not just new applications that are being developed. You have hundreds if not thousands of applications in production - you should consider these as well. And production applications are not static - even if they aren't being updated, newly discovered may appear. It's not enough to effectively manage new applications, you need a proactive, ongoing approach for production applications.
- It's not just about identification - it's important to proactively identify and monitor applications in your supply chain, but it's not just about problem identification. It's about early and streamlined remediation. In the development process, it's about finding and fixing problems early. For production applications, proactive monitoring and identification is a start, but the ability to manage the fix process quickly and painlessly is critical.
- Facilitate collaboration between all team members - overcome the natural tension that exists between IT constituents by defining common goals, implementing best practice processes and establishing governance. It's also important to build capabilities directly in the tools used by each constituent, including capabilities in the IDE and build tools used by developers.
- Use open source components wisely - given how re-usable open source components can accelerate application delivery, it's no surprise that open source usage continues to grow. It's now quite typical for applications to consist primarily of OSS components (80% or more according to some OSS experts). While the promise of OSS components is significant, this highlights that those components must be managed effectively. Research that Sonatype did with Aspect Security puts a fine point on this: 26% of the 113 million open source components downloaded by 60,000 organizations contained known vulnerabilities.
Stay tuned as we explore continue to explore the concept of an IT supply chain.