How Software Supply Chains Go Wrong
In this episode, Matt compares his recent move into his new home to software production, making a strong point that no matter how great your team and efforts are, mistakes are still inevitable in the build and release process.
Learn More- See post: Why your need to go beyond vulnerabilities
- ReversingGlass: The DNA of Software Supply Chain Security
- Report: The Software Supply Chain Risk Report
MATT ROSE: Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is entitled, as is always across the top, How Do Supply Chains Go Wrong? How Do Software Supply Chains Go Wrong? So this is something that I thought about, a new analogy about software supply chains and how they go wrong.
And the kind of idea came out of the fact that I moved last week. Yep, went through the process of moving. Don't recommend it to anybody, but it is a chaotic experience. So thinking about moving, we're basically taking all our possessions and boxing them up and then having movers move them somewhere and then put them in the proper room.
So went through the process and we're very diligent. This is a box for the master bedroom. This is a box for the study. All labeled very clearly. So they knew where they wanted to go. Kind of like we're talking about a piece of software where we have the open source code, the first party code, third party code, what have you.
So think about the boxes that you're moving your things and the pieces of your component or your piece of software application all put together. Here's where things go awry. I have found some of the weirdest things in my house in the weirdest places. Let's jump into something real quick here, so this is a quick example here.
We'll make that right there. This is my basement. A lot of things were put in the basement, labeled basement. That's great. Problem is, all of a sudden started to say where are the coffee mugs? Where is the air fryer? Because I want to make dinner. Couldn't find them. Box was clearly labeled kitchen. Box was clearly labeled that these things did not belong in the basement.
In this back corner, I was able to find three boxes that meant to go to the kitchen were in the basement in the back corner. The better one that I don't have a picture of was a box of tools and motor oil was in my bedroom. So I went through the process of doing the right things, labeling the boxes, paying movers to basically move the boxes to the appropriate room, but they appeared in the wrong spot.
They were lost. People didn't know how to manage where they went. Movers still did a great job, but think about this in terms of your software, your applications where everything is labeled correctly. You have all the components where they're supposed to be. They're all checked with the appropriate tools.
It doesn't matter if it's the source code or the open source or the CI/CD pipeline. The problem is something happened, even though it was properly labeled, it got to the wrong spot or something got included in the wrong room, like the motor oil in my bedroom. That was not a plan, and I'm sure glad I found it before it leaked through the box and ruined the carpet.
So if you're thinking about malware in your code, you're thinking about supply chain risk, privilege escalation... even though you're doing the right things and mapping out how these things go together, where they should be, and how they should work together: Chaos happens. Modern software and modern applications are very complicated.
There's a lot of things going on. There's a lot of people working on that. Just there's a bunch of movers moving the boxes, putting things in the wrong spot. One person, say you have a hundred developers, put something in the wrong spot or download something from a insecure site or leaves a socket, a port, something open to the public so people can see it.
Things can happen. So when you're thinking about supply chain risk go back in time- I'm sure everybody's moved at one time- Just the utter chaos with taking everything and moving it from one place to another even though everything's again labeled correctly And you had the best intentions. That's why software supply chain risk is becoming more and more of a issue for people.
It's just that complexity that chaos of the software being built. Food for thought. Don't recommend anybody move anytime soon. I'm finally getting back to normal. The glass board's in a new studio, so hopefully the sound and the image is as good. We're gonna improve on it, but thanks for watching.
I'm Matt Rose. This is ReversingGlass. Have a great rest of your day.