2022: The year of software supply chain security

If 2020 was the year that we became acutely aware of the consumer goods supply chain (toilet paper, anyone? Anyone?), then 2021 was the year that the software supply chain rose in our collective consciousness. In perhaps the most infamous attack of the year, thousands of customers, including several US government agencies, downloaded compromised SolarWinds updates.

Alas, SolarWinds was not alone. Indeed, the weaknesses in our software supply chain were all too evident with the recent Log4j vulnerability. Log4j is a widely used open source Java logging framework, so the vulnerability has put tens of thousands of applications (ranging from data storage services to online video games) at risk.

With so much lightly maintained code running in production, the software supply chain is ripe for exploits like the Log4j vulnerability. This is a hot topic in open source because a lot of people consume lightly maintained software libraries, put them into production, and never patch them again.

This is why I am declaring 2022 the year of [wait for it] software supply chain security. But I’m not just going to declare a year and leave it at that (a la Michael declaring bankruptcy in “The Office”).

Following are three practices I predict will (and should) rise in importance in 2022 as organizations work to strengthen their defenses against software supply chain attacks. 

Diving deep into distroless

In the year and years ahead, companies should be thinking about standardizing and thoughtfully trimming down their container images, including distro elements. In fact, some would go so far as to say that organizations should go “distroless.”

Copyright © 2022 IDG Communications, Inc.

Source link

Leave a Comment

Your email address will not be published. Required fields are marked *