Gartner recently published research about the enterprise IT supply chain and impending threats that should encourage organizations to act.  An overview of the research is available on Help Net Security: “Enterprise IT supply chains will be compromised”. The title sounds ominous, but it’s a good read that advises organizations to take a holistic approach to protecting the IT supply chain. We were happy to see  that Neil MacDonald and Ray Valdes from Gartner cite research that Sonatype did with Aspect Security; research on open source software (OSS) downloads and how component vulnerability can impact the health of the IT supply chain.

Gartner’s take is in line with how Sonatype sees the world. In the remainder of this post we’ll address aspects that are particularly interesting and offer initial considerations about how to optimize the IT supply chain.

The New Reality

• IT Supply Chain = Complexity: The IT supply chain is highly complicated. Consider these words or phrases: distributed, complex, component based, internally & externally sourced, combination of hardware & software. And think about the job responsibilities necessary to effectively manage an IT supply chain. The number of roles necessary to gather requirements, design, develop, test, deploy, monitor, maintain software and it’s related infrastructure is indicative of the IT supply chain complexity. As far as trust goes, complexity increases the likelihood of application issues and the number of threat vectors that can be manipulated to hinder the IT supply chain. Continue reading →