Modern software development process and open-source software supply chain are creating unique challenges for security teams. There are many components, just like an automobile, and organizations need to get a better understanding of their software supply chain. The good news is that there are already mature products, open-source projects and even communities like OpenSSF (Open Source Security Foundation) that are creating solutions for the software supply chain security. The challenge, as Bob West, Chief Security Officer at Prisma Cloud at Palo Alto Networks, points out is more cultural than technological.
I sat down with West to understand how the modern software supply chain is creating new challenges for security and DevSecOps teams, what all solutions are available and how organizations can improve their security posture.
Key highlights from this video interview:
- Supply chain attacks are increasing which West attributes to developers not being taught how to code securely, and the applications organizations are using being part open source or by several vendors. West discusses why it can be challenging to secure the software supply chain.
- Open source software is being consumed increasingly by organizations but even though you can access the code, you do not necessarily know who has been contributing to the code. West explains why it is important to have security tools built into the entire process of software development to reduce the attack surface.
- West goes into depth about the awareness organizations have about the risks of understanding the software supply chain. He feels that there are organizations that very much understand and internalize the software supply issues. However, he believes there are also a lot of organizations that do not properly invest in securing the software supply chain. He explains the risks they face.
- While securing the software supply chain is a technology problem, it is also a cultural one. West sees it as a bigger cultural issue that needs to be solved by asserting the importance of securing the software supply chain from the top board of directors level down.
- Prisma Cloud has introduced a supply chain security module to make it easier for teams to embrace security. The module helps developers visualize all the components in the cloud supply chain in one place. West goes into detail about the main features of the Prisma Cloud supply chain security module and why he feels keeping things simple is key.
- West shares his advice on how companies can improve their security posture, saying that they need to have a deep understanding of their most critical applications, how much revenue those applications drive, and the regulatory requirements. He goes on to discuss assessing organizations’ risk profiles.
- For organizations consuming a lot of open source with developers on payroll, it is important to report bugs and contribute back. West discusses how organizations can participate in the open source culture and become good open source citizens.
- West iterates the importance of seeing software as a journey, which will change continuously and evolve. He explains that as new software is introduced, security issues may change as well. He believes it is vital to have a continuous view of the application ecosystem and supply chain.
The summary of the show is written by Emily Nicholls.