Today, open-source code is everywhere. In fact, 99% of all codebases contain open-source code, and anywhere from 85% to 97% of enterprise codebases come from open-source. What does that mean, exactly? It means that the vast majority of our applications consist of code we did not write. So, the question isn’t if our applications run on open-source code, but rather how much? And on which applications, specifically?
The vulnerabilities in third-party or open-source dependencies have the potential to put any application of any organization at risk, but the threat and possible security impact for mission-critical software – within the software supply chain, specifically – is greater than what we may have thought.
Of all the issues coming from the SolarWinds exploit, this is perhaps the most important. Even though the breach in and of itself affected up to 18,000 clients – including Fortune 500 companies and multiple U.S. government agencies – it’s the method of attack which is arguably most dangerous. This was a supply chain attack. Instead of needing to exploit unpatched software vulnerabilities on their targets’ systems or trick individuals into downloading malicious software, the hackers simply relied on SolarWinds’ clients installing the software update at the company’s prompting.
Effectively, the hackers turned a run-of-the-mill software update into a highly sophisticated, dangerous weapon. Herein lies the crux of the threat, which, in turn, is forcing companies to entirely rethink their approach to protecting mission-critical supply chain software.
This starts and ends with being able to inspect all elements of an application’s code, ensuring the absence of malware or other cybersecurity threats. Software composition analysis tools can support organizations in building safe, secure software for their supply chain. These cloud-based AI tools scan all application code – especially open source – for any security vulnerabilities throughout the software.
What’s crucial to note is that mission-critical supply chain software permeates all aspects of everyday life, and the systems are often required to run 24 hours a day, 365 days a year without failure. From automotive solutions and industrial automation to medical devices and semiconductors, software is becoming more complex and frequently multi-tiered. With this great innovation, however, comes great vulnerability.
Take the ever-evolving world of connected and automated vehicles, for example. There’s no question that the automotive industry is undergoing major digital transformation. While the bulk of a car’s value was traditionally made up of its mechanical, hardware and other physical components, software and connected services are quickly becoming the most important drivers of value and key differentiators in the space.
Renovo, an automotive software company, was faced with a core development challenge of participating in safety-critical embedded systems while also retaining its identity as a dynamic, AI-driven solution. By utilizing mission-critical security solutions, the company was able to realize the necessary coherence between the AI pipeline and the safety-critical world.
So, at this point, one may reasonably ask, “what’s the connection between autonomous vehicles and IT security?” In short, both require some of the most complex software ever developed – specifically, supply chain software containing mission-critical applications that require the highest level of security.
Although in comparison to other attack vectors, supply chain compromises may seem few, they are certainly real, clear and present. They are highly targeted and carry an extremely high security risk, hence, making monitoring our supply chain environment and activity more important than ever. For example, Blackberry’s Jarvis software composition analysis tool was tested on the Department of Defense’s in-orbit satellite systems where it detected a backdoor in a piece of open-source code, which evaded all other tools tested in the process.
With most companies using open-source code to run large portions of their software applications, it’s clear that securing mission-critical supply chain software is a growing operation priority for companies and organizations across the spectrum. However, the critical question moving forward is – will those companies make the commitment to invest in the technology needed to provide adequate security?