When molten steel is immersed in water it transforms into one of the world's strongest materials. A resilient software supply chain is no different. Hardened steel requires combining alloys; a hardened software supply chain requires combining specialized tools "to examine both internally and externally sourced code" that reinforce, remediate, and strengthen the individual pieces of the whole supply chain.
Just as with steel, the process to create a resistant software supply chain requires intentional, precise steps. This happens not once, but continuously, for maximum effect. It makes the software supply chain more secure and, ultimately, more valuable.
Gartner's recent report, Technology Insight for Software Composition Analysis makes clear the importance of a resilient software supply chain with SCA tools. As the Gartner report explains:
"Mitigate risk by hardening the software supply chain. This includes examination of both internally and externally sourced code (and supporting scripts, configuration files and other artifacts) and creation of an internal repository of trusted components. Govern the use of external repositories.
Development velocity is another consideration. As development timetables continue to speed up, so must the ability to review the provenance (code origins) and veracity (code integrity) of everything in the production pipeline.
A reinforced software supply chain is paramount to a successful software composition analysis (SCA) program. The best SCA tools, like the Sonatype Platform, "help ensure that the enterprise software supply chain includes only secure components and, therefore, supports secure application development and assembly."
In short, a hardened software supply chain produces exemplary results.
Specifically, Gartner shares that a stronger, regulated software supply chain:
Software supply chain tools should draw from multiple, verifiable sources when evaluating open source components, to enhance the overall security of an application. Reports Gartner:
"In evaluating tools, consider the breadth of coverage of the vulnerability databases used to identify unsecure code. The National Vulnerability Database (NVD) is commonly used as a baseline source, although it should be supplemented with additional sources. It’s frequently the case that vulnerabilities are not reported to the NVD in a timely manner (or, in some cases, at all); hence, the need to rely on alternative sources of data."
Open source component licenses can introduce legal and/or financial risks to software. Monitoring licenses protects intellectual property and prevents inadvertent misuse of open source components. Automated monitoring is recommended.
"If [a risk is] discovered, the presence of a proscribed license would be cause to generate a defect ticket, or break a build, if an especially risky license appears within a codebase," says the Gartner report.
It is well known that open source components and third-party software exist throughout software supply chains. Lesser known is what's actually inside a particular application at any given moment. (Knowing what's inside requires a software bill of materials (SBOM); if you want to see what's inside your application, start by using our free service, the Sonatype Vulnerability Scanner, to generate one for your application.)
"As an organization acquiring software, you should begin to seek formal software bills of materials for the software you license and rely on," recommends Gartner.
Time is of the essence when it comes to securing software after a new vulnerability is announced. Writes Gartner:
“[O]rganizations are forced to rapidly identify their potential exposure by searching for possible use of compromised components. If SCA tools are in use, this can be a relatively simple task of running a report to show which applications utilize the suspect package.”
A strengthened software supply chain offers clear advantages. Forward-thinking organizations ask, how is this accomplished? Put simply, we believe Sonatype Platform provides a lot of the answers.
As Gartner reports, a fortified software supply chain isn't only a means to address security vulnerabilities or policy violations, though both are hugely important. Rather, unrelenting focus on the system as a whole reveals and protects a software application's overall health and vibrancy.
Evaluate your software supply chain as it currently exists and plan for inevitable changes. Create an SBOM for free using our Sonatype Vulnerability Scanner to identify the third party and open source component used within your applications. Remember that SBOMs are most useful when they are created on an ongoing basis, automatically, because the software components inside are never static, which is where Sonatype Lifecycle can help.
Create policies to manage security vulnerabilities and support legal obligations. Sonatype Repository Firewall enforces open source policies when procuring open source components from public repos, based on common risk factors, including security vulnerabilities, age, popularity, and licensing. Similarly, Sonatype Lifecycle automates open source policies across your entire SDLC with integration to Git repos, developer IDE's, and CI/CD tools.
Configure and use a repository to store binaries and artifacts; the best in class option is Sonatype Nexus Repository. It gives you a single source of truth for components used across your entire software development lifecycle including QA, staging, and operations. Many of our customers start by using our free version, Sonatype Nexus Repository OSS. However, enterprise customers find benefit from our unrivaled Repository Health Check tool, high availability, and premier customer education and support.
Maintain control of the software supply chain after deployment. While the first step to understanding your software supply chain is having SBOMs for all of your applications, it is just as important to automatically track components when the application is in production. Users of Sonatype Lifecycle get the benefit of continuous monitoring throughout the SDLC, including applications that are deployed and in production. For open source components used within third-party or legacy applications, where you do not have access to source code, Sonatype Auditor creates an SBOM to identify risk and will continuously monitor for newly disclosed vulnerabilities.
Next, we'll look at Gartner's recommendations for license compliance.