Open-source libraries provide a cost-efficient accelerator for software development, allowing teams to take advantage of pre-built, tested solutions for most common problems. So much so that open-source software constitutes over 90% of modern software solutions.
Effective management of third-party dependencies is critical, yet the subject of dependency management is complex. Many organisations struggle to implement the detective, corrective, and preventive controls to govern their open-source software usage, failing to address risks around license and legal exposure, quality, and security.
Why is this?
Amongst many reasons, the volume of third-party libraries in a single application can be staggering, with development teams overwhelmed managing upgrades or simply unaware of the libraries they are pulling into their software stack.
Access to tooling is another factor. While tools are available, many freely so, some organisations struggle finding the time for installing, maintaining, and supporting core developer platforms. Development teams – who are likely already under pressure to meet product milestones – have little bandwidth, or knowhow, for running dependency management toolchains.
If this sounds familiar, here are five practical tips to enhance your dependency management and supply chain security to help mitigate the risks associated with vulnerable open-source libraries.
Establish foundational architectural governance.
The use of open-source libraries in software solutions is a given, yet less so the need to create an Open-Source Usage policy to govern the selection, use, distribution, and licensing.
That does not mean locking usage down or stifling innovation; instead, set clear rules around the expected quality – is the library well-maintained and supported, and do vulnerabilities get fixed in a timely manner?
Integrate security controls throughout your SDLC.
Security controls should be introduced throughout a Secure SDLC, from capturing security requirements, through build, test, and deployment, to ultimately operating the service in production. It is vital to identify risks and threats, especially those that impact on open-source libraries and the software supply chain, and to implement mitigations across the full delivery cycle.
Once mitigations are identified, automate control points and gates into build pipelines – for example, ensuring that all builds include Software Composition Analysis [SCA] to identify the full dependency tree and flag license, quality, and security concerns.
Build out a core set of developer platforms
Most squads don’t have the skills and experience, let alone the bandwidth, to install and operate a full stack of tooling that meets all your security controls. Consider centralising platforms and sharing patterns with a team of DevOps Engineers providing golden paths that make meeting the security controls easier. While these should not constrain squads from exploration, discovery, and innovation, they can offer an essential safety net.
Maintain a living inventory.
How quickly can you accurately answer the question, “do we have log4j running anywhere?”.
Effective estate control goes beyondthe creation of a CMDB that identifies assets, services, and their ownership - by the time the work has been put into establishingthis baseline,it'susually already out of date.In order to keep a continuous operational grip, we recommend combining accurate, real time asset management with a continuous assessment of state –e.g. pipelines canpublish an SBOM intoa living inventory of all of your software components and where they are deployed.
Automate governance through continuous compliance
Streamline end-to-end governance, risk, and compliance through automating the controls, evidence capture, and the gates; resulting in software development teams that can sustain a fast pace with safety, security and quality baked in. To achieve this, we set up attestations at every stage of the SDLC and assure that only approved builds can be deployed into production.
Taking these incremental steps towards improving your dependency management and supply chain security posture will help your development teams build and maintainproducts that are resilient, secure, and capable of withstanding the ever-evolving threat landscape.