As the cybersecurity industry approaches conference season, it’s incredible to see members of the community eager to share their experiences. One might argue that the call-for-speakers process offers a deep and broad snapshot of what’s on the collective minds of the entire cybersecurity ecosystem. One of the most intriguing topics of discussion observed in this year’s “RSAC 2023 Call for Submissions Trends Report” was in and around open source, which has become more ubiquitous and less siloed than previously observed. Modern software has changed, and with it comes promise and perils.
Does Anyone Write Their Own Software Anymore?
Not surprisingly, cybersecurity professionals spend a lot of time talking about software — how it’s assembled, tested, deployed, and patched. Software has a significant impact on every business, regardless of size or sector. Teams and practices have evolved as scale and complexity have increased. As a result, “Modern software is being assembled more than it’s being written,” says Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security; she is also an RSA Conference program committee member. That’s not merely an opinion. Estimates of how much software across the industry includes open source components — code that is directly targeted in attacks small and large — range from 70% to nearly 100%, creating a huge, shifting attack surface to protect, and a critical area of focus for everyone’s supply chain.
Assembly of code creates widespread dependencies — and transitive dependencies — as natural artifacts. These dependencies
Read more