Stephen Magill, vice president of product innovation at Sonatype, said federal agencies seeking to ensure a secure software supply chain should focus more on open-source software and open-source library being used.
Magill discussed the open-source library and how its popularity is associated with security vulnerability.
“We advocate paying attention to a project’s processes and noting whether the developers have built the capacity to release quickly and respond quickly to incidents,” he wrote.
“Furthermore, pulling in one component means pulling in all the components that it depends on, so agencies should make sure the development team is following best practices for keeping dependencies up-to-date as well,” he added.
Magill noted that “understanding what’s in the supply chain is critical to national security” and that agencies should know the importance of a software bill of materials and its role in managing software supply chains.
“An SBOM is a comprehensive list of a given product’s software components, open-source licenses and dependencies. It offers valuable insight into the software supply chain and potential risks,” he added.
He also discussed how automation could help agencies manage large volumes of artifacts while enabling them to generate favorable outcomes with regard to risk remediation, vulnerability identification and code health.
“Automation can also help agencies build capacity to update open-source software on a regular basis. By routinely and automatically applying patches, agencies protect themselves from known vulnerabilities while improving their ability to respond quickly to zero-day attacks,” Magill added.