Ever since I attended the recent Gartner Security & Risk Management Summit, I’ve found myself thinking a lot about if “you can trust your software supplier”. My colleague wrote about this a bit in a Gartner recap blog and our CEO co-presented on this topic with Curtis Yanko as part of a solution provider session.
We know 80% of an application is comprised of open source components downloaded from public repositories. We know 71% of applications contain security or licensing vulnerabilities. We also know that most application development and application security tools don’t specifically address component risk. Where does that leave us? The good news is that development is agile and extremely fast these days. The bad news is the change in software development from written to assembled has caused a massive software supply chain problem. It’s time to take the same principles other industries follow that have a complex, rapidly changing ecosystem and ensure the applications we use today are not openly exposed to risk.
Just imagine if your favorite car maker, Honda for example, didn’t have visibility into who their suppliers were and what parts of the car were vulnerable to safety hazards. I bet you wouldn’t buy a Honda. The same principle needs to apply to software development. The good news is, industry awareness is growing with the recent addition of A9 to the OWASP Top 10 list as well as early shifts in the regulatory and audit worlds. The time is now to become security aware. Watch this video, to understand how other organizations are starting to secure their software supply chain.
To learn how pervasive components are in your organization and where you might find potential security, licensing, or quality risks, download this snapshot report today. And the next time you're using an application, make sure you feel confident the providers trust their suppliers.