As
the
cybersecurity
industry
approaches
conference
season,
it’s
incredible
to
see
members
of
the
community
eager
to
share
their
experiences.
One
might
argue
that
the
call-for-speakers
process
offers
a
deep
and
broad
snapshot
of
what’s
on
the
collective
minds
of
the
entire
cybersecurity
ecosystem.
One
of
the
most
intriguing
topics
of
discussion
observed
in
this
year’s
“RSAC
2023
Call
for
Submissions
Trends
Report”
was
in
and
around
open
source,
which
has
become
more
ubiquitous
and
less
siloed
than
previously
observed.
Modern
software
has
changed,
and
with
it
comes
promise
and
perils.
Does
Anyone
Write
Their
Own
Software
Anymore?
Not
surprisingly,
cybersecurity
professionals
spend
a
lot
of
time
talking
about
software
—
how
it’s
assembled,
tested,
deployed,
and
patched.
Software
has
a
significant
impact
on
every
business,
regardless
of
size
or
sector.
Teams
and
practices
have
evolved
as
scale
and
complexity
have
increased.
As
a
result,
“Modern
software
is
being
assembled
more
than
it’s
being
written,”
says
Jennifer
Czaplewski,
senior
director
at
Target,
where
she
leads
DevSecOps
and
endpoint
security;
she
is
also
an
RSA
Conference
program
committee
member.
That’s
not
merely
an
opinion.
Estimates
of
how
much
software
across
the
industry
includes
open
source
components
—
code
that
is
directly
targeted
in
attacks
small
and
large
—
range
from
70%
to
nearly
100%,
creating
a
huge,
shifting
attack
surface
to
protect,
and
a
critical
area
of
focus
for
everyone’s
supply
chain.
Assembly
of
code
creates
widespread
dependencies
—
and
transitive
dependencies
—
as
natural
artifacts.
These
dependencies
are
far
deeper
than
the
actual
code,
and
the
teams
that
are
incorporating
it
also
need
to
better
understand
the
processes
used
to
run,
test,
and
maintain
it.
Nearly
every
organization
today
has
an
unavoidable
reliance
on
open
source
code,
which
has
driven
the
demand
for
better
ways
to
assess
risk,
catalog
use,
track
impact,
and
make
informed
decisions
before,
during,
and
after
incorporating
open
source
components
into
software
stacks.
Building
Trust
and
Components
for
Success
Open
source
isn’t
just
a
technology
issue.
Or
a
process
issue.
Or
a
people
issue.
It
really
stretches
across
everything,
and
developers,
chief
information
security
officers
(CISOs),
and
policymakers
all
play
a
role.
Transparency,
collaboration,
and
communication
across
all
of
these
groups
are
key
to
building
critical
trust.
One
focal
point
for
trust
building
is
the
software
bill
of
materials
(SBOM),
which
grew
in
popularity
after
President
Biden’s
May
2021
executive
order.
We’re
starting
to
see
tangible
observations
of
quantifiable
benefits
from
its
implementation,
including
control
and
visibility
of
assets,
more
rapid
response
times
to
vulnerabilities,
and
overall
better
software
life-cycle
management.
SBOM’s
traction
seems
to
have
spawned
additional
BOMs,
among
them
DBOM
(data),
HBOM
(hardware),
PBOM
(pipeline),
and
CBOM
(cybersecurity).
Time
will
tell
whether
the
benefits
outweigh
the
heavy
duty
of
care
put
upon
developers,
but
many
are
hopeful
that
the
BOM
movement
could
lead
to
a
uniform
way
of
thinking
about
and
approaching
a
problem.
Additional
policies
and
collaborations,
including
the
Securing
Open
Source
Software
Act,
Supply
chain
Levels
for
Software
Artifacts
(SLSA)
framework,
and
NIST’s
Secure
Software
Development
Framework
(SSDF),
seem
to
encourage
the
practices
that
have
made
open
source
so
ubiquitous
—
the
collective
community
working
together
with
a
goal
of
ensuring
a
secure-by-default
software
supply
chain.
The
overt
focus
on
the
“cons”
around
open
source
code
and
manipulation,
attacks,
and
targeting
of
it
has
given
birth
to
new
efforts
to
mitigate
associated
risk,
both
with
development
processes
and
reports,
as
well
as
technology.
Investments
are
being
made
to
avoid
ingesting
malicious
components
in
the
first
place.
This
introspection
and
real-life
learnings
around
software
development,
software
development
life
cycle
(SDLC),
and
the
supply
chain
as
a
whole
are
incredibly
beneficial
to
the
community
at
this
stage.
In
fact,
open
source
can
greatly
benefit
…
open
source!
Developers
rely
on
open
source
tools
to
integrate
critical
security
controls
as
part
of
the
continuous
integration/continuous
delivery
(CI/CD)
pipeline.
Continued
efforts
to
provide
resources,
such
as
the
OpenSSF
scorecard,
with
its
promise
of
automated
scoring,
and
the
Open
Source
Software
(OSS)
Secure
Supply
Chain
(SSC)
Framework,
a
consumption-focused
framework
designed
to
protect
developers
against
real-world
OSS
supply
chain
threats,
are
just
two
examples
of
promising
activities
that
will
support
teams
as
they
assemble
software.
Stronger
Together
Open
source
has
and
will
continue
to
change
the
software
game.
It
has
affected
the
way
the
world
builds
software.
It
has
helped
speed
time
to
market.
It
has
stimulated
innovation
and
reduced
development
costs.
Arguably,
it’s
had
a
positive
impact
on
security,
but
work
remains
to
be
done.
And
building
a
more
secure
world
takes
a
village
coming
together
to
share
ideas
and
best
practices
with
the
greater
community.
About Author
