What a year it’s been! I feel like 2021 went by like a … it’s still January???

So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice.

I will start with the usual advice for the worst suggestion every time supply chain discussions happen: You cannot remove all the open source from your supply chain. Even suggesting this would be comparable to making your organization build a coal power plant to go off grid for power. Anyone who suggests this should not be taken seriously.

Now that we have that out of the way, let’s talk about a software supply chain. I wrote a lovely (at least I think it’s lovely) piece about this during Secadvent for DevSecCon. Just go read it, I’m not going to rehash the details here.

Security Fractals and the Open Source Supply Chain

I would like to congratulate you on now understanding more about the open source supply chain than the vast majority of people giving comments to the media about this topic.

I’ve had a lot of discussions around supply chain over the last few weeks and there is something bothering me about it all, but I couldn’t figure out what it was, when I figured it out I sat down to write this because I think it’s worth sharing. I realized You cannot manage your supply chain.

I think in the industry we call that “clickbait”. I made it the title of the post in hopes you would end up here, be sure to like and subscribe and leave a 7 star review! But really, the thing is, there are very few companies that can actually manage an open source supply chain. If you have a very small footprint you probably can, but most of us don’t have small footprints. Even a trivial app will have thousands of dependencies. Assuming you could even find the talent to do this work, would you want to hire an army of people just to track your dependencies? What about hiring an army of people to create build infrastructure?

It’s not going to happen. Logistically you aren’t going to manage your supply chain. If you try to do it properly, it will cost so much your company won’t be able to grow. Hiring a developer will make your product better. Hiring a supply chain team will … have no noticeable affect.

I have no doubt there are some people screaming into their safety pillow right now. It’s OK, you fell into my trap! I’m not really suggesting you do nothing, well, I sort of am. I’m really suggesting YOU don’t manage your supply chain. Find someone else to do it. If I wanted to explain how to manage a software supply chain it could fill a very long, very boring book. It’s a huge complex problem with a low return on investment.

As a security person I don’t shut up about risk. Risk this and risk that, risk risk risk. I don’t have many friends for some reason. Your supply chain is really just a collection of risks. What part of it are you most worried about? The open source you use? The build system? The distribution of artifacts to customers? Maybe you worry about your developers. There are entire companies that exists focused on whatever part of your supply chain you think is the biggest risk. And they’re better at what they do than you will ever be.

If I was a very important expert giving advice to a reputable news outlet, right now I would be giving a list of things you should go do RIGHT NOW to make your supply chain more better. I’m telling you not to. Figure out what you care about, then find a way to work with someone who cares about solving that boring problem.

For example. If you care most about your build infrastructure, GitHub as the ability to mange all your CI/CD. If you’re worried about your dependencies, there are companies like Tidelift, Snyk, or JFrog. You need developer security training? Go look at Security Journey. There are hundreds of companies you can work with to solve these problems. Find someone to work with. You don’t generate your own electricity, you don’t run your own Internet. There’s a reason you don’t do those things. The whole point in having a supply chain is you have someone else supply what you need.