I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that has led to everyone suddenly making this a priority. Software supply chain security is not new, I’ve been doing it since about 2002 when I was helping track and coordinate security vulnerabilities in Linux distributions. We didn’t call it a supply chain back then, and nobody really paid attention to it. So what changed between then and now?
All this supply chain interest reminds me of how open source exploded in the early 2000s. Much has been written on why open source won, I won’t rehash it here, but keep it in mind as we think about the software supply chain. I think there are parallels and probably some lessons. The most important parallel is how much collaboration we are seeing around supply chain security. Open source won because everyone worked together. Supply chain security will happen because everyone works together. If you try to do this alone, you will fail.
There are three buckets I think can help explain the importance of the software supply chain. I’m calling these buckets tools, ideas, and events.
Let’s start with Events. If you ask anyone in IT about supply chain attacks in the past ten years, they can probably name more than one. Almost everyone will name Heartbleed first. Heartbleed happened back in 2014, so why did it take until 2021 for supply chain to become a topic everyone is paying attention to? Since Heartbleed there have been quite a few similar problem, from Stuxnet, NotPetya, and even SUNBURST as examples. None of those seem to have created any real disruption. It’s possible they just weren’t big enough to capture attention, but my suspicion is they didn’t affect open source. In every one of those instances you had a vendor to blame. But then there was Log4Shell. Log4Shell will probably be the one we look back on as when it all changed. Everyone knows about Log4Shell, it was a pretty big deal. And there was nobody to blame except ourselves.
I think Log4Shell itself wasn’t the event, the real event was everyone understanding just how much open source they had. Log4j was everywhere, and while looking for it we also noticed all the other open source in use. It was an eye opening moment for a lot of people. Open source won a long time, but it wasn’t until Log4Shell that it was declared the winner. Now that we know open source is everywhere, what are we going to do about it?
In the past, the first step would have been to declare “no more open source!” But in 2022, that’s not even realistic as a joke. There’s no way we can stop using open source. So we had to find another way. This supply chain thing seems like the place to start.
The next step is ideas. Once you know a problem exists, you can start to try solving it. For example the Software Bill Of Materials, or SBOM, is not new. There have been many people working on this idea for at least a decade now. But it’s likely you didn’t hear about SBOM until very recently. In the past a large group of people understood this was important and began working on the details of how SBOM should work. But for a long time it was really just an idea. A good idea, but still an idea. The Log4Shell made us all take notice.
If we didn’t have SBOM in the state it is today, how would we be cataloging the open source in use? It would probably a lot of bespoke solutions, nothing would work together, and there would be no clear path to the future. Software supply chain security would probably be a fragmented disaster with everyone trying to do something different. SBOM is really the idea we needed to rally behind for supply chain security to explode in popularity. Thank goodness others had the foresight to create our current SBOM formats.
Just because an idea is good, that doesn’t mean it will be a success. We need the right series of events to bubble an idea to the surface, then we need the right tools to make it happen. Tools can be software or they can be file formats. Maybe even compliance standards. There’s never just one way to solve a problem. An old saying exists that captures this nicely is “ideas are cheap, execution is everything.” How do we execute on the idea of software supply chain security? Why with the tooling of course!
Long ago all the software supply chain work was done by hand. In text files. Probably checked into CVS. There were no standards. Everything was just made up as we went along. I wish that was a joke. Linux distributions like Debian and Red Hat have been using open source to build larger projects for more than twenty years now. Every Linux distribution has been issuing security advisories since the beginning. This was rudimentary software supply chain management and it succeeded in spite of the tools, not because of the tools.
We are now at a place where we have the will, we have the ideas, and we have the tools to start making supply chain security reality. I think without all three we wouldn’t see the sort of progress we see today. But progress comes with its own set of challenges.
It’s always amusing when a new industry starts to emerge. There will be many people complaining about how useless all the new knowledge and technology is because it’s not perfect. This was just like the early days of open source, there were a lot of naysayers. Some are trying to sell you something, some don’t like change, and some just like to complain. Regardless of the reason, there’s no stopping this one. Software supply chain security is coming like a speeding truck.
A lot of the tools aren’t amazing, but are getting better, and fast. A lot of the ideas need to be expanding, and there are groups of people working on everything. The SBOM formats are still incomplete, but they are getting better every day. The tooling has plenty of gaps, but it continues to get better. Progress isn’t a destination, it’s a journey. And in the supply chain world, there are A LOT of people on this journey.
There is a lack of perfection, but there isn’t a lack of progress.
You should keep in mind that we are the very beginning of this new supply chain journey. It’s not the end of the beginning, we’re at the beginning of the beginning. There is enormous opportunity for those who want to contribute. Everything from corporations, open source projects, non profit foundations, and even the government is helping drive change. It’s an amazing community of collaboration, very much in the way open source functions.
Software supply chain security isn’t coming, it’s here today. Go help make it better!
Or complain, I guess.