⬅️ R U DevX Experienced? 🧭 What's Golden Path? ➑️

Press Rewind

by Jay Cuthrell

Music: Del the Funky Homosapien - Press Rewind (2000)

This week we take at recent updates in software supply chain security that may provide an ability to press rewind.

Getting Informed

If you didn’t know already, Fudge Sunday offers a Spotify playlist of the music that inspired 76+ weeks of issues. Mash that subscribe button, or something.

https://open.spotify.com/playlist/2ZALK6TiXvBVztITrrybkN?si=7b839925fe094998

While the promise of ever smarter devices may provide a roadmap for a better future, there will be undoubtedly be a few bumps in the road along the way. Indeed, some bumps will be jarring enough for some to require starting the journey over from scratch β€” or to say it differently β€” press rewind.

Readers of Fudge Sunday may probably recall the March 2022 issue on SCA, xAST, RASP, DevSecOps, and SBOM in software supply chain security. Well, now there is an emerging example for the importance of software supply chain security that will likely grace every presentation you’ll see from vendors in the coming months (years?).

https://www.techmeme.com/230421/p15#a230421p15

If you know me, then you know my background is in telecom from the 1990s. I was one of those folks that was starting my career as Voice over IP (VoIP) was in its infancy β€” and I embraced VoIP β€” warts and all.

Back in those days, office, workers, or knowledge, workers would sit in cubicles, called cubicle farms. On these cubical desk surfaces, you would find some form of desktop personal computer, and the ubiquitous often hated / ignored proprietary office phone systems with arguably cryptic features and many _many_ physical buttons.

Of course, most business class office worker VoIP was done using physical desktop phones that looked, and for the most part acted, like traditional desktop phones. The primary difference was a VoIP phone device had software definable characteristics, settings, and flexibility with emerging standards β€” and is increased based on embedded Linux with color LCD screens as well as hardware and software buttons.

To understand the problematic side of such flexibility, consider this example… Doom, the game, runs on Linux too.

https://hackaday.com/2021/08/13/doom-on-a-desk-phone-is-just-the-tip-of-the-iceburg/

Next, let’s consider recent updates in software supply chain security that may help press rewind before it is too late. After all, not all actors will simply want to play fun and games on the smart devices of the future β€” malware is very real and very profitable for bad actors that will rely on asymmetric advantages.

Word sentinel invisible infidel interstellar 🎢

Software supply chain security will continue to be important as the toolchains become increasingly pervasive in more organizations. So, it is wonderful to see the Cloud Native Computing Foundation extending efforts to this critical concern.

https://www.cncf.io/blog/2023/04/19/building-secure-software-supply-chains-in-cncf-with-slsa-assessments/

Next, it is worth noting that software supply chain security isn’t just tools scanning tools that scan tools. There are people and processes needed too.

The eeriest mic mysterious 🎢

https://twitter.com/argvee/status/1649033203217494017?s=20

Perhaps there is no better example of people and processes in software supply chain security than the community of security minded people and their own knowledge sharing. In software supply chain security, _if you see something say something_ isn’t just an aphorism.

https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-4/

So, what will be the next big thing in our ability to press rewind in software supply chain security?

Until then… Place your bets!

Disclosure

I am linking to my disclosure.

πŸ€“


View this page on GitHub.

⬅️ R U DevX Experienced? 🧭 What's Golden Path? ➑️
Share and discuss on LinkedIn or HN