Free Software, But No Free Lunch

July 25, 2019 By Katie McCaskey

2 minute read time

“This is a very important issue. Enterprises are not taking necessary precautions,” our SVP of Strategy and Corporate Development, Bill Karpovich, noted when talking about Fortune 100 cybersecurity.

“This is a solvable problem,” he continued, in an interview on Cheddar TV last week.

The revelation? Approximately 30% of the Fortune 100 companies still use the software component responsible for a massive data breach two years ago.

To understand why, Bill explained that today’s software is assembled like Lego building blocks. Up to 90% of manufacturers use open source components. These components provide tremendous benefit and are the foundation of proprietary software - but do come with risk.

“There may be free code, but not a free lunch,” summarized Bill on the potential drawbacks of open source software in the manufacturing process. Our research agrees. 1 in 4 enterprises admitted they experienced a breach, or attempted breach, last year.

To combat malicious actors, manufacturers must introduce cybersecurity practices earlier in the process. “Shifting left” means an open source component is evaluated before it enters a development environment - or at the very least, right from the start. The same component must also be examined and tracked throughout the software’s lifecycle, too.

Network security is important, but no longer the only entry for criminal intent. “The reality is,” said Bill, “the threat surface is the software itself.”

Bill recommends manufacturers embrace two primary defense mechanisms.

  1. Use software tools built to analyze open source software components 24/7. This can stop misbehavior at the door, before a compromised component even enters the enterprise. Software, like our Nexus Platform, automatically tracks components throughout the software lifecycle. Proper monitoring reduces bad parts from entering the software supply chain and identifying parts immediately, if they go bad down the road.

  2. Enterprises must move faster. A bit more counterintuitive, says Bill, is the reality that to keep ahead of threats, enterprises must move quickly. Businesses that upgrade components and automate component review are significantly better protected.Our research shows that enterprises moving 2x faster than their competition find and remediate problems more successfully. How do you “go faster” in today’s market? Successful teams use a combination of automation software tools and DevOps (or DevSecOps) work cultures.

Bill shared stats from Sonatype’s recently released State of the Software Supply Chain report. This report identifies the practices of exemplary software production teams. Teams that prioritize cybersecurity hygiene reap the commercial benefits.

Watch his full Cheddar interview here:

 

Tags: security, devops best practices, News and Views, Post security/devsecops, 2019 State of the Software Supply Chain Report

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.