DevelopersDevOpsFeaturedOpen SourcePredictionsSecurity

2022 Will See More Software Supply Chain Attacks |  Dennis Zimmer 


Guest: Dennis Zimmer (LinkedIn)
Company: Codenotary (LinkedIn, Twitter)
Show: 2022 Prediction Series

Dennis Zimmer, CTO and Co-Founder of Codenotary, predicts that software supply chain attacks will continue to wreak havoc in 2022. “I think we just got started and we are going to see much more sophisticated attacks. We still will see a lot of news that are still part of attacks that have already happened,” says Zimmer.

He also talks about the global push towards more secure supply chains. “When it comes to a global effort to protect from the attacks, we already saw from Joe Biden the Presidential Executive Order for Cybersecurity that is going to drive a whole wave of changes. And this wave will not stop in the US. This wave will actually be global,” avers Zimmer. What else did he predict? Check out the above video to know more.


Swapnil Bhartiya: Hi, this is the host of, and welcome to our series on predictions for 2022. And today we have with us, once again, Dennis Zimmer CTO and co-founder of CodeNotary. Dennis, it’s great to have you on the show.

Dennis Zimmer: Thank you, Swapnil. A pleasure to be here and thanks for having me.

Swapnil Bhartiya: Before I ask you to grab your crystal ball and share your predictions, tell us quickly, what is the company all about?

Dennis Zimmer: So CodeNotary is all about data and mutability. Data protection and ultimately data trust. So we make sure that data can be stored in a trusted way and in a client verifiable way. And we use this technology not just to provide it to the community as an open-source platform, but also to protect all the supply software of the supply chain from protecting artifacts, evidence around artifacts, to the whole software build process, including everything that happens from the source code to the running binary.

Swapnil Bhartiya: Excellent. Now it’s time for you to grab your crystal ball and tell us what prediction you have?

Dennis Zimmer: There is one simple prediction when it comes to the software supply chain and that is that there will be much more software supply chain attacks. So I think we just got started and we are going to see much more sophisticated attacks. We still will see a lot of news that are still part of attacks that have already happened. I mean, [inaudible 00:01:25] is probably the most prominent example, but it’s also far from being over. So there are so many companies that are affected. So I assume that next year we will learn a lot more about the damage. We will learn a lot more about what else happened in this hosting space, but when there’s something bad, there’s always something good coming with it. So I will also predict that we will see much more technology that can be used to protect against future supply chain attacks, but that will automatically result in a much better transparency and visibility for customers.

So customers ultimately will see what is really part of the close source, open-source, any kind of product that I’m running in my data center or running on my system. And actually, there’s a certain prediction. If you want to have transparency, if you want to have a clear overview, no matter if your own software or you just use software, there need to be standards. So there will be much more work that is put in into standards like SPDX cycle and on the X. So where software bill of materials become not just, I would say a nice thing to have, they become essential when it comes also to not just shipping your product, shipping your patches and your software, but also shipping what it is part of, so the ingredients list, including all the different versions, for example, and not to forget a lot of these things are currently more dead packages, so they’re not alive.

So a lot of the technologies that are currently being used can scan packages before they’re being deployed or a container before they are being deployed. And we are going to see much more that is part of the runtime. So really checking if during runtime, additional packages are being loaded, additional dependencies are being loaded because that is automatically the biggest threat. So you actually are sure that you are deploying a software. You did everything you could like inability scanning, compliance scanning, a ton of people looked into it and over it, and then suddenly the system starts and it just loads the malicious dependency while it’s starting and it’s just there in the new environment.

And then when it comes to a global effort to protect the attacks and to get rid of this easy and simple kind of attacks we already saw from Joe Biden, the presidential executive order for cybersecurity that is going to drive a whole wave of changes. And this wave will not stop in the US. This wave will actually be global and I’m absolutely sure and I already see it from Switzer and Germany, Australia, that companies are already asking for more insights into software, but they also ask for much more protection against potential supply chain attacks or everything that could threat your run time in your whole data center as a whole.

Swapnil Bhartiya: Thanks for sharing these predictions. If I can ask you, what is going to be the focus of the company in 2022?

Dennis Zimmer: So, of course, we want to continue with immudb. That is our open-source database that can be used to protect any kind of data by just storing it as temporary proof and is client verifiable. So we are convinced that this goes far beyond the software delivery, but from a commercial perspective, our products are more and more focused on the software, the bill of materials, and on storing evidence through your whole software delivery life cycle. And one of the most important things we currently focus on is being compliant with all these upcoming standards.

So CyscloneDX that is, but also to track and require the dependencies, the bill of materials, and the state of every single component in your software life cycle at any given point in time. So starting with a source code to your build process, but also watching consistently your run time to be able to even detect and allow you to disable or remove your components that are malicious or compromised immediately from your current life cycle or from your current software.

Swapnil Bhartiya: Excellent. Dennis, thank you so much for taking time out today and of course, to share these predictions. And I would love to have you back on the show next year. Not only to check on how many of those predictions turn out to be true, but also to get a set of predictions for 2023 but thanks for your time today.

Dennis Zimmer: Thank you very much. Looking forward to it.