Our society’s reliance and implicit trust of information systems is akin to our reliance and trust with critical infrastructure such as bridges. So shouldn’t critical software go through the same engineering and risk management processes?
Let's dive into the software composition problem.
Blindly Trusting Things We Shouldn’t
The reuse/repeatability tenant of software development has led to a culture of using “other people’s” unknown/untested code and libraries.
Detecting Bad is Challenging
Less than 20% of dev shops have adequate controls to manage the risks of insecure/malicious code in the development process.
Zero Day Vulnerabilities for Everyone
Digitally transforming businesses are racing to become de facto dev shops; moving critical business applications onto unknown/unverified code.
DevOps Infrastructure is Target Rich
From Jenkins to Kubernetes, DevOps pipeline infrastructure are rarely configured securely and are more often than not chalked full of credentials and API keys ripe for the taking.
The Sleeping Dragon
Adversaries are embedding themselves in the code we (blindly) trust through the take over of open-source projects or compromising public repositories and package managers.