The Long Tail Of The Open-Source Software Supply Chain

Moshe Bar is co-founder and CEO of Codenotary. Previously, he co-established Qumranet (marketed to Pink Hat) and XenSource (acquired by Citrix).

In just the very last couple of months, we have witnessed numerous illustrations of how the software program source chain can be compromised with disastrous and vast-ranging outcomes. And when I say extensive-ranging, I mean that it impacts just about just about every business and particular person. Modern compromises we’ve seen crop up involve extensively noted exterior assaults these types of as log4j, which have brought about companies of all forms and dimensions to scramble, wanting not just to mitigate the shorter-time period outcomes of security vulnerabilities but also searching for long-term solutions on how to level up program offer chain stability.

Even extra noteworthy, now we’re also seeing disruption in the software program source chain—without malicious intent—from maintainers of open-source software program. For case in point, a developer of a pretty preferred open up-supply ingredient slipped in some harmless but extremely disruptive code when stating his discontent: “I am no lengthier going to assistance Fortune 500s with my cost-free do the job.”

These latest gatherings, apart from shining a light on a recently weaponized class of vulnerabilities by themselves, also emphasize yet another urgent problem relating to the depth of penetration of open up-source software into the world application supply chain and how to safe the lengthy tail of hundreds of thousands of open-resource application parts. All those may have appear from a solitary “lone wolf” developer or may have been produced as a volunteer project that is maintained by only a handful of people today, or even, sometimes, none at all. Though the code is openly accessible and the projects are cost-free to use, most builders possibly designed the software to scratch an itch with stability as an afterthought.

As that application becomes much more common and applied extra greatly, usually, the code expands to include things like additional characteristics, and only then is consideration centered on protection, consequently causing the maintainer(s) to do extra work—in quite a few circumstances, devoid of any compensation. Provided the importance of open-supply program that is in use practically all over the place now and its impact on the total computer software offer chain, it is really apparent that the model is badly broken. We ought to start pondering of solutions on a broader scale for ongoing maintenance and security.

Open up supply has constantly been about neighborhood, and it is really time the group rethinks the benefit proposition when it arrives to spending these maintainers of the software program on which everyone is dependent. Lots of accept donations or sponsorships, so logic claims that if you are relying on a certain piece of computer software, “You should not forget about to tip the waiter.” This goes a lengthy way, providing maintainers with validation and acknowledgment for their perform and—here is the huge part—helping them dedicate the time necessary to ensure their computer software is a safe aspect of the total program source chain.

As an sector and as people of program, we will need to assure the integrity of the software package provide chain. That begins with great company procedures, this sort of as a reliable, tamper-proof software package invoice of supplies (SBOM), alongside with tracking every software program component and where and how it is applied. That receives us halfway to the mission of assuring a harmless and safe application provide chain. The next part—or the lengthy tail—of assuring the computer software offer chain demands making a partnership and payment product for the maintainers of the software that we are all dependent on.


Forbes Technological innovation Council is an invitation-only local community for world-class CIOs, CTOs and technology executives. Do I qualify?