Observability can help identify where software with newly found vulnerabilities is used based on how it performs and interacts within a larger system.
One of the greatest security challenges today is simply knowing that an algorithm or library with known vulnerabilities is even being used. Modern application development techniques frequently reuse components. And low-code/no-code makes that process easier, thus propagating the extent of such vulnerabilities throughout an organization. These issues make software supply chain security a top priority for businesses today.
The biggest problem, as has been discovered over and over again in the last year, is that companies may not know if their applications use the vulnerable versions or where the software is deployed.
This is particularly the case with open-source software and components, many of which have been widely used for many years. Some industry experts estimate that 80% to 90% of typical applications contain open-source components. Developers routinely create applications that use open source for the OS, media player, programing language (e.g., Python), analytics engines, databases, and more.
See also: Log4j Vulnerability Highlights the Need for Observability
Security complexity increases
The security implications of reliance on open source were highlighted in a report by the Laboratory for Innovation Science at Harvard and The Linux Foundation. The report noted the need for an “understanding and addressing of the security complexities in the modern-day software supply chain where open source is pervasive, but not always understood.” It noted that it is difficult to fully understand the security of open-source software because “by design, it is distributed in nature, so there is no central authority to ensure quality and maintenance,” and it can be freely copied and modified.
A Working Knowledge article from the Harvard Business School detailed some of the findings of the study. It noted one of the main security issues is related to legacy code. The study noted that outdated legacy code often remains in production even though improved code has been introduced. This can happen when the newer code has not yet overtaken its predecessor in terms of sheer usage. “Without this awareness,” the report reads, “and especially without processes and procedures in place to address the risks created by legacy [open-source software], organizations open themselves up to the possibility of hard-to-detect issues within their software bases.”
See also: Continuous Intelligence Needed to Parry New Cyber Threats
The White House steps in
This month, President Biden issued an executive order aimed at improving the nation’s cybersecurity. One element of the order focused on enhancing software supply chain security. Specifically, the executive order noted:
The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
Members of the open-source community, including the Linux Foundation and the Open Source Security Foundation (OpenSSF), joined the press conference and noted their efforts in this area that complement the goals of the order.
Software supply chain security impact on business
As the government and these organizations take aim at the software supply chain, businesses still need help assessing the security impact when they use software components and libraries. This is where observability comes in.
Observability can help identify where software with newly found vulnerabilities is used based on how it performs and interacts within a larger system. Hunting for malicious activity is greatly benefited by visibility into the web, application, and network traffic. Proactive monitoring is key to immediately identifying and understanding what is happening to stop its impact and isolate it. Such capabilities are core functionality in many observability platforms. Hence, the need for observability to help identify where software with known vulnerabilities are being used. Such insights can help minimize any potential impact the software may have until the component is updated.
