Securing the software supply chain has never been more vital. Since 99% of the world’s software has at least some open source code in its DNA, vulnerabilities in open source code can have a global ripple effect across the millions of people and services that rely on it.
The fact remains that although technology has advanced significantly in the past decade and cybersecurity is more mainstream than ever, as an industry we continue to struggle to keep pace with sophisticated threat actors.
Securing open source is a team sport, and we all have a role to play in how we enable open source communities for success to ensure that the code they build and use daily is trusted and secure. As more companies continue to adopt open source software in their technology stacks, leaders must encourage collaboration across their business teams to work together to stop cyber attacks before they occur.
But what does that look like for business and security leaders in their quest to secure the software supply chain?
Security will become a more diverse discipline
To enable the next wave of secure software development, engineering and security teams must work closer together. Some of the most critical security work happens in engineering teams, and co-development and strong security practices will allow developers to go further, faster, and innovate more confidently than ever before.
Security teams will also need to develop more of their own solutions in addition to purchasing cybersecurity tools and services off the shelf. Threats are becoming more varied and complex and so we’ll see more diverse workforce hiring within security teams - background, education, and technical capabilities - to combat the threats as well. This will ultimately lead to a stronger security culture, closer integration with engineering, and faster innovation to combat attacks from malicious actors.
Jacob DePriest is the Vice President and Deputy Chief Security Officer at GitHub.
Cybersecurity transparency will be hailed as a strength
While organizations are improving how they detect and defend against cyberattacks, they must also evolve the way they communicate about them. We’ve seen a significant number of breach disclosures last year, and this year will be no different. However, we’ll see more organisations lean further into transparency as a means to strengthen trust around their business.
More security leaders will focus on building an environment in which the security team is an empowered, trusted partner to the business and will prioritize open, transparent communications around security incidents to build trust with both internal and external stakeholders.
Security leaders must align the success of their team to business outcomes and make it visible. This includes delivering hard news along with the good news and helping other teams and leadership understand the business impacts and opportunities.
Increased cross-industry collaboration to address supply chain security
We’ve seen greater mainstream emphasis on supply chain security, with events like SolarWinds and Log4j providing key reminders of the importance of securing critical code. The White House’s Open Source Software Security Summit was a timely gathering of government and private sector stakeholders to discuss improving the security of open source software, and it’s clear that there must be a collective industry and community effort to secure the software supply chain.
This year will bring even greater collaboration, with the public sector looking to the private sector to help inform policy. More organizations and working groups like the OpenSSF are focused on shared security goals, and more direct partnerships between companies. Supply chain attacks do not discriminate against roles, corporate boundaries, or even national lines so it will require unprecedented collaboration to defend against them.
At its core, supply chain security is about how the world builds software. To drive true impact, these efforts will need to operate in support of the developers who design, build, and maintain the open source projects we all depend on.
Internal security programs become a market differentiator
Security programs have traditionally focused exclusively on internal collaboration and communication, even at companies that build and sell security products. Consumer and B2B awareness of the importance of good cybersecurity practices will continue to rise in 2023. As a result, we’ll not only see more CSO’s speaking publicly about their approaches to better security, we’ll also see security team members sharing their best practices with partners, peers, and customers.
Compliance and certification will remain foundational indicators of security and will be combined with additional external artefacts such as blogs, research, and papers. The quality and operational excellence of internal security teams will become even more of a market differentiator for companies and increasingly factor into brand and partnership trust.