TRENDING:

Events , RSA Conference , RSA Conference Videos

The Vulnerable State of the Software Supply Chain

Brian Fox on the Progress Being Made With Software Supply Chain Management in 2023 Anna Delaney (annamadeline) • April 27, 2023    
Brian Fox, co-founder and CTO, Sonatype

The state of the software supply chain in 2023 continues to be "unacceptable," said Brian Fox, co-founder and CTO at Sonatype. Sounding alarm bells, Fox cited a Sonatype report that said organizations are using known vulnerable components in their applications 96% of the time and known Log4j vulnerabilities nearly 30% of the time.

Although the statistics are worrisome, some progress has been made within the open-source software ecosystem since the Log4j vulnerabilities were detected in 2021, Fox said. Regulations and policies by governments, including the national cybersecurity strategy in the United States and the European Union's Cyber Resiliency Act, have increased awareness and momentum - albeit slowly.

"Imagine if an auto manufacturer today was putting known flawed airbags into a new model of your car. That's what we're doing in software," Fox said. "Most organizations don't have a good understanding of the dependencies that they have in their entire stack. They lack the visibility. If the software industry would start making better choices and understanding where the parts are in their applications, these behaviors would start to change and we'd start to see meaningful difference."

In this video interview with Information Security Media Group at RSA Conference 2023, Fox also discusses:

  • The state of the software supply chain;
  • Gaps that need to be filled to arrive at the stage of mature software supply chain;
  • SBOMs and how they are driving the conversation.

Fox has open-source experience as a member of the Apache Software Foundation and former chair of the Apache Maven project. He has over 20 years of experience leading the development of software for organizations, ranging from startups to large enterprises.

Previous
Selecting the Right MDR Strategy
Next
SOC: Build vs. Buy - When Is It Right?

About the Author

Anna Delaney

Anna Delaney

Director, ISMG Productions

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.



Around the Network

Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.