Securing Your Software Supply Chain

David Brumley
March 4, 2021
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Part one of a three-part series. 

Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer.

There are various types of code components that make up applications: 

  • Third-party components. These are code components developed by an external individual or organization. Typically, third-party code are free and open source software (FOSS) or commercial-off-the-shelf software (COTS). For example, a product team might use MatrixSSL to secure network communications in IoT and other lightweight scenarios. 
  • First-party components. First-party code is written in-house by the R&D team of developing organizations. First-party code is written for additional functionality and features that are not freely and openly available. First-party code is also written to assemble third-party code components together. 

Leading software composition analysis vendor, BlackDuck Software, found that 95% of commercial applications they analyzed contains open source code. In fact, the majority of software is comprised of third-party components; up to 80% of an application is comprised of third-party code.

Software is Assembled

Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer. Applications contain hundreds of code components. Applications are constructed similarly to automobiles: parts are sourced from multiple vendors to produce software that is then used by the consumer.

Want to Learn More About Fuzz Testing?

Tune in to FuzzCon TV to get the latest fuzzing takes directly from industry experts.

Watch EP 01 See TV Guide

You Can’t Beat Free?

It makes sense to take advantage of third-party code. There are a variety of benefits to using third-party components, especially open source. 

  • Faster time to market. Third-party code offer developers the foundational building blocks for developing features and functionality that would otherwise take considerable time to build from scratch. Using third-party components give developers the boost they need to keep pace with increasing development speeds.

Developers are many things: creative, intelligent, and human. Developers sometimes make mistakes. Those mistakes turn into vulnerabilities. Irrespective of whether your develop wrote the code or not, if it’s in your product, it is your problem. 

  • Quality features. Outsourcing parts of your product to the experts often results in a quality output. For instance, car manufacturers rely on the specializations of our suppliers to build a quality vehicle. Similarly, if your organization wants to use the TLS protocol for securing communications, implementing the protocol yourself would be impractical and difficult. You must, first, hire developers who specialize in network communications and cryptography, then implement TLS, which is no easy feat. It is much faster and safer to use established third-party component, such as OpenSSL or MatrixSSL. 
  • Free of cost. The benefits of open source software may seem too good to be true. It allows developers to release faster, without having to code features from scratch or pay for it! Developers are creative individuals who solve complex issues with code. They are not security engineers. They are not QA engineers. They are not lawyers. Open source code fulfills the criteria that must be met for them to effectively complete their work. 

Developers are many things: creative, intelligent, and human. Developers sometimes make mistakes. Those mistakes turn into vulnerabilities. Irrespective of whether your develop wrote the code or not, if it’s in your product, it is your problem.

In part two of the series, I will discuss some of the consequences of not analyzing open source. 

Download the complete white paper Build a Test and Evaluation Plan with Advanced Fuzz Testing.

Share this post

How about some Mayhem in your inbox?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem