Click here to sponsor Fudge Sunday and post jobs!
Music: Del the Funky Homosapien - Press Rewind (2000)
This week we take at recent updates in software supply chain security that may provide an ability to press rewind.
If you didn’t know already, Fudge Sunday offers a Spotify playlist of the music that inspired 76+ weeks of issues. Mash that subscribe button, or something.
While the promise of ever smarter devices may provide a roadmap for a better future, there will be undoubtedly be a few bumps in the road along the way. Indeed, some bumps will be jarring enough for some to require starting the journey over from scratch — or to say it differently — press rewind.
Readers of Fudge Sunday may probably recall the March 2022 issue on SCA, xAST, RASP, DevSecOps, and SBOM in software supply chain security. Well, now there is an emerging example for the importance of software supply chain security that will likely grace every presentation you’ll see from vendors in the coming months (years?).
If you know me, then you know my background is in telecom from the 1990s. I was one of those folks that was starting my career as Voice over IP (VoIP) was in its infancy — and I embraced VoIP — warts and all.
Back in those days, office, workers, or knowledge, workers would sit in cubicles, called cubicle farms. On these cubical desk surfaces, you would find some form of desktop personal computer, and the ubiquitous often hated / ignored proprietary office phone systems with arguably cryptic features and many many physical buttons.
Of course, most business class office worker VoIP was done using physical desktop phones that looked, and for the most part acted, like traditional desktop phones. The primary difference was a VoIP phone device had software definable characteristics, settings, and flexibility with emerging standards — and is increased based on embedded Linux with color LCD screens as well as hardware and software buttons.
To understand the problematic side of such flexibility, consider this example… Doom, the game, runs on Linux too.
Next, let’s consider recent updates in software supply chain security that may help press rewind before it is too late. After all, not all actors will simply want to play fun and games on the smart devices of the future — malware is very real and very profitable for bad actors that will rely on asymmetric advantages.
Software supply chain security will continue to be important as the toolchains become increasingly pervasive in more organizations. So, it is wonderful to see the Cloud Native Computing Foundation extending efforts to this critical concern.
Next, it is worth noting that software supply chain security isn’t just tools scanning tools that scan tools. There are people and processes needed too.
I shudder to think how long this would have gone on if alarms hadn’t been tripped with the @SentinelOne user base. The nature of this is so stealthy, the threat actor could have a lot more lined up we aren’t seeing. Many unanswered questions.— Heather Adkins - Ꜻ - Spes consilium non est (@argvee) April 20, 2023
Perhaps there is no better example of people and processes in software supply chain security than the community of security minded people and their own knowledge sharing. In software supply chain security, if you see something say something isn’t just an aphorism.
So, what will be the next big thing in our ability to press rewind in software supply chain security?
Until then… Place your bets!
As a reminder, after a +25 year walkabout, I’m an IBMer (again). For 2023, in “Work Plug”, I’ll share a new link each week that is educational, accessible, and relevant to platform engineering from fellow IBMers1 in the wider IBM Community.
I am linking to my disclosure.
Shout out to Stephanie “Snow” Carruthers ↩