<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Cybersecurity Improvement Act of 2017:  The Ghost of Congress Past

It seems like yesterday when when Representative Ed Royce proposed legislation entitled the Cyber Supply Chain Management and Transparency Act.

How a Software Bill of Materials Uncovers Known Vulnerabilities

In two minutes, we can show you a full software bill of materials for your application. We can also identify any known vulnerabilities in the open source and third-party components within your Java application. Oh, and by the way, it’s free.

[Part 3] Code, Cars, and Congress: A Time for Cyber Supply Chain Management


[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management

On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.

Code, Cars, and Congress: A Time for Cyber Supply Chain Management

On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014." The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.

"As a house is only as strong as its foundation, it's no wonder cyber attacks are on the rise with reports showing 71 percent of software contains components with critical vulnerabilities," said Rep. Royce in a press release from his office. "This bill protects our nation's cyber infrastructure by ensuring the building blocks that make it up are secure and uncompromised.”

In light of this new legislation, I thought it would be worthwhile to revisit a set of discussions I started earlier this year focused on changes in software development, the prolific use of open source components today, and our need to embrace software supply chain management principles.

Part 1: It’s Just the Way Software is Made

Today software runs the things that run our world. In fact, I’m starting to see the pundits talk not just about securing and protecting our applications, but about embracing software supply chain management. With software so deeply embedded in every aspect of our lives, the companies running the software are accountable for protecting the consumers using it. In fact, it is just a matter of time before software liability becomes a reality (but that is a topic for another day).

Just like automobile manufacturers, software “manufacturers” need to apply supply chain management principles for both efficiency and quality. They need to be prepared to conduct a rapid and comprehensive “recall” when a defect is found. And today’s modern development practices make this, well, challenging to say the least.

As U.S. Representatives Ed Royce (R-CA) introduced the Cyber Supply Chain Management and Transparency Act of 2014 last week, he stated, “It is precisely because of the importance of open source components to modern software development, that we need to ensure integrity in the open source supply chain, so vulnerabilities are not populated throughout the hundreds of thousands of software applications that use open source components.”

Bear with me a moment, as I take you through a quick history of Toyota’s supply chain innovations … then I promise to bring this back to your own software supply chain.

Toyota Transforms and Outperforms (Laying Agile Foundations)

In 1926, Sakichi Toyoda founded Toyoda Automatic Loom Works. From the start, he obsessed over efficiency and automation. He invented and ran the most advanced looms in the world – delivering dramatic improvements in quality and a 20-fold increase in productivity. Perfection and efficiency were so ingrained in his production processes, his looms stopped automatically whenever a thread broke, for example.

When Sakichi’s son, Kiichiro, decided to move from textiles to auto manufacturing, the apple did not fall far from the tree. Kiichiro set about optimizing everything conceivable in the production of automobiles. His production innovations, eventually called the Toyota Production System (TPS), gave rise to Lean Manufacturing and Supply Chain Management principles.


Today, the effect of these principles on Toyota’s efficiency is remarkable. Company-wide, Toyota has a total of 226 suppliers while GM has more than 5,000. Toyota produces only 27% of the content of their vehicles while GM produces more than 54% of theirs. That means GM has twenty times the suppliers but still produces twice as much of their vehicles. The result? A Chevy Volt sells for nearly double the price of the Toyota Prius while the Prius outsells the Volt nearly fifteen to one.

The First Wave: Toyota’s Principles Drive the Innovations in Agile

Toyota’s principles not only improved auto manufacturing, but also extended to many other industries including software development. As early as 2000, Fujitsu Software Technologies -- desperate to improve productivity and overcome IT budget deflation in the post-bubble economy -- decided to experiment with applying TPS Lean Manufacturing to software development. This effort led to a wave of innovation in agile software development. A success that, in hindsight, is not at all surprising.

The Second Wave: Agile Meets Component-Based Development

Where Agile methods were based on iterative and incremental development (embracing Toyota’s lean manufacturing principles), Fujitsu did not do a whole lot with Toyota’s supply chain management innovations (sourcing reliable and thoroughly tested “parts” that serve your people and processes). This is where another transformational change in the software development ecosystem is just beginning to come into play: the use of open source and the embrace of component-based software development. That is, where agile software development must meet supply chain management.

Today, 90% of a typical application is composed of open source and third party components. The open source community is the dominant supplier of software building blocks, the components they develop feeding virtually all software development “supply chains”. These components are sourced within the software supply chain by development organizations, usually from public repositories.



To give you a sense of the scale of operations in today’s software ‘manufacturing’ supply chains, the largest source of Java components known as the “Central Repository” clocked in 13 billion downloads last year alone – more than 35 million components every day (and that dramatically understates real usage because more than a quarter of the download requests came from local component repositories -- such as Nexus – that are in turn accessed by teams of developers locally).

Today’s reality: software assembly (together with agile) is just the way software is made.

In the next part of this blog series, we’ll take a drive down the software supply chain to help you understand where your software has really come from. As we continue the conversation, we will also discuss the implications of cyber supply chain management and transparency related to protecting your applications from attacks leading to breaches.

You can find Part 2 of Wayne's blog series here.

(image credit: http://bit.ly/1wFt6qW, http://bit.ly/1vUvGq8)


Talking Turkey in Texas: Open Source Governance Lags

Deep in the heart of Texas, I was leading a panel discussion at the Lone Star Application Security Conference (LASCON) a few weeks ago. The panel was “talking turkey” the importance of application security and open source software development, when the conversation led to a discussion about software supply chains.

One of the panelists remarked that consuming open source components to assemble an application was similar to sourcing individual physical parts to assemble a finished product -- be it a car, a medical device, or a toy. The discussion then led to remarks about manufacturers being able to identify recall at-risk parts in their products -- similar in nature to the Takata air bag recall for millions of vehicles that has recently been in the news.

Then it struck me as to how immature our software supply chains are today when assembling, monitoring, and tracking open source components when compared to other industries. I shared with the attendees (since we happened to be in cattle country), that it was somewhat surprising that beef distributors have more advanced supply chain management capabilities than our software industry, when it comes to managing at-risk open source.



Think about it. If a beef distributor finds E. coli has contaminated their beef supply, they can track the tainted beef through each distribution point, down to the store in my neighborhood, and down to the bar code of the package on their shelves. They can then remove the tainted packages and replace them with safe alternatives from the same or another supplier.

By comparison, the vast majority of companies we surveyed earlier this year did not have formal open source governance practices in place:

  • 57% had open source governance policies in place (but only 68%) followed them

  • 63% did not track changes in vulnerability data for the components they used

  • 60% did not keep a complete inventory of the open source components, including all dependencies, used in their applications

This means, if a new vulnerability were announced, only 40% of firms might have a chance to track down that component and replace (i.e., recall) it successfully. Today, we cannot image not having the ability to track down contaminated beef, tainted medicines, or faulty cars.

Earlier this month, Gartner VP, Earl Perkins, published a new report discussing predictions for 2015. In the report he remarked that supply chain security failures will force 50% of businesses to negotiate contracts with suppliers to share risk and liabilities. (The Gartner report is only available here, for those with a subscription to their research.)

While Gartner believes this will happen by 2020, I would not be surprised to see this contract requirement much sooner than that. I don’t think we will be able to get through five more years of Heartbleed, Bash, Poodle, and Struts before open source vulnerabilities and liabilities are pulled to the front line. This is especially true for companies that include known vulnerable components in their software today. When known vulnerabilities are published and available to these businesses, any breach that stemmed from that vulnerability should have some level of liability associated with it.

It is time to improve the fundamentals around software supply chain management. If we can’t put faulty airbags in cars, or we need to remove tainted beef from store shelves to protect consumers, I can’t see why we wouldn’t have to monitor, track, and trace vulnerabilities in our software products.

Can you?

A special note to Wishing all of my readers and followers in the United States: please have a very Happy Thanksgiving. Enjoy every bit of the holiday with your friends and family!


Image credits: http://bit.ly/1zGteVg, http://bit.ly/1xShLCS

42,000 Nexus Repository Managers, and Growing!

[Editor's Note: An update to this article is now available. As of February 2015, active Nexus instances have reached 50,000. For more information, please see the new blog post at: http://blog.sonatype.com/2015/02/nexus-reaches-50000/#.VPTXZEuf96k]