I recently sat down for a spell with Bruce Mayhew, Director of Research and Development at Sonatype and co-author/project lead for OWASP WebGoat, to discuss his perspectives on the data revealed in this year's 2016 State of the Software Supply Chain Report. Here, he not only speaks about why the data within the report is so incredibly compelling, but also about how his team's research has come together in a way that surprises him, and might surprise you.
Listen to the full interview with Bruce Mayhew here.
Samantha: Given your role in the company, was there anything in the software supply chain report that surprised you?
Bruce: Lots of things surprised me in the report. One of the first ones that surprised me was the staggering growth and consumption of open source software and how prevalent open source components are in modern-day applications. Another thing that surprised me was the lack of visibility and control that security, legal, and architecture teams have over their consumption of open source components. I think the last thing that surprised me were that some of the public open source repositories are mutable in that they allow changing of the bits for a specifically versioned and published component, or that they allow the removal of published artifacts. Those were the three big surprises for me.
“Another thing that surprised me was the
lack of visibility and control that security,
legal, and architecture teams have over
their consumption of open source.”
Samantha: Why do you think the information in the report is relevant to the people that build the software that's running the world today?
It's hard to say which one's better without knowing some basic quality facts like sheer strength, or will they rust apart after two years? This is the type of information that we all need about our software components and today people just don't have it. I think people have to come to grips that open source is good for software development. It helps us be more innovative in what we build because we don't have to reinvent the wheel with every single application that we build. As our applications become more complex and our choices become more vast, we need to get in front of helping developers and enterprises make better decisions on the risk of what is being used. This report clearly articulates the scope of consumption, the tooling used to help consume open source, and that there is risk in blind consumption of these components.
“As our applications become more complex
Samantha: What else would you like have like to seen in the report and why?
Bruce: I think the report does a good job comparing software manufacturing to software supply chain management. It does a fantastic job at making you understand the vastness of the problem that we have today and the lack of visibility and control that we really do have inside our software supply chains.
What are some of the things that I would have liked to have seen but I understand that in the context of the report they're probably not applicable? I would have liked to seen a deeper dive into how an enterprise can implement or adopt the Deming principles. How does one pick fewer and better suppliers? How do I integrate picking those components and suppliers into the way that I build software? I would have liked to have seen a breakdown of more of the attributes that make-up good and bad components, projects and/or repositories. But these are all probably outside the scope of this particular document.
“[The report] does a fantastic job at making
If you enjoy this interview and want to dive into the 2016 State of the Software Supply Chain Report yourself, the full report is available here.