With the continued need for risk and vulnerability reduction in software development to create trustworthy products, companies must look to SCSS to meet modern business demands.
Marc Bernal, Encora Full Stack Software Developer, Ankit Agarwal, Head of IT Infrastructure and Governance, and Andre Scandaroli, Software Development Manager, are some of the expert engineers who presented their unique perspective and thought leadership on the top 10 technology trends shaping the next generation of technology. They spoke to us about Software Supply Chain Security, a game-changing trend that will help organizations meet the pace and quality demanded of software solutions of today and tomorrow.
What is Software Supply Chain Security (SSCS) and what is it used for?
SSCS is all the processes related to the act of making software secure. Not only in its development stage, but also with the infrastructure, deployment, and its use.
When we talk about the creation of software and its life cycle, there are different models, but these usually do not include how to deal with software security in their process. This is one of the main reasons why we must implement SSCS in our processes, this ensures that we are minimizing the risk of vulnerabilities.
Risk identification, assessment, mitigation, monitoring and control are the main characteristics of SSCS.
Why do you think Software Supply Chain Security is a trend that will shape business in 2023?
As malicious attacks are on the rise, and Open-Source products are increasingly being used by private companies. Organizations will have to start implementing SSCS if they want to be competitive, secure and trusted by their clients.
Why did Encora select it as a rising trend in 2023?
Encora is always at the forefront of important trends. In the coming months and years, SCSS will be essential to have a good security infrastructure.
What makes Software Supply Chain Security different from traditional enterprise application development?
While traditional application development focuses a lot on the process and lines of code, SSCS goes beyond that by incorporating the build, packaging and infrastructure stages. In the traditional approach, the security aspects are basically focused on protecting the APIs, and any interaction between the user and the application. SSCS goes further by including how commits are treated in our repository, the versions we are going to build and the dependencies we are using.
Can you speak about your experience with Software Supply Chain Security? (Do not mention client names, please)
Standards and frameworks aiming to better define and structure SSCS are recent and still maturing. So far, aspects of SSCS can be observed across projects with our clients. Some clients are more thorough with covering lots of aspects, and some have less coverage.
In one project I managed, the client had a reasonable SSCS process, covering centralized 3rd party dependencies management, centralized infrastructure security management and robust access control management. We have a project with another client aiming specifically at implementing SSCS practices in their value stream. There we were able to perform an assessment and identify key areas to improve, which were then leveraged by the client to produce and prioritize the implementation backlog.
In your experience, where do clients currently stand on the topic? (Do not mention client names, please)
Clients with consolidated products and user bases tend to be more aware of the necessity of implementing SSCS compared to start-up clients, or clients with products with smaller user bases. This is not a rule, in that it is not unusual to see start-ups very concerned and prioritizing SSCS, and consolidated clients not putting the proper amount of attention into SSCS.
All-in-all, pretty much all clients seem to be aware of the issue, especially due to the increase in attacks and vulnerabilities in the past few years. But in general, a great chunk of the clients seems to have a lot of room to improve in the area.
How can Encora help clients through the evolution?
We aim to raise awareness and therefore preparedness for organizations and their software engineering teams through the evolution of the implementation of the SSCS. Our engineering team of Innovation Leaders can assist companies on starting this journey.
How will Software Supply Chain Security impact software & digital product engineering?
SSCS calls for a governance system to make software systems, their production lifecycles, and supply chains more transparent. To make this governance system effective a framework adoption is required which would call for new processes and practices embedded in the software development practices.
How are organizations benefiting from Software Supply Chain Security today? Can we get some real-world examples?
Sonatype's 8th Annual State of the Software Supply Chain¹ report identified that “This year's findings indicate that improving practices tied to securing the software supply chain minimizes security and licensing risk. Moreover, these enhanced practices demonstrate an association with greater job satisfaction. Thus, improving the integrity of the software supply chain can potentially play a role in retaining talent.”
Reduced security and licensing risks are a direct expectation of improving SSCS practices, but there are indirect benefits such as employee satisfaction that are being observed.
As an illustration, in one of our client's projects in Brazil, implementing an automated SBOM generation combined with an SCA tool allowed the client to quickly identify relevant vulnerabilities in third-party dependencies that would not have been so quick without that.
Who exactly stands to benefit from Software Supply Chain Security the most?
There are two beneficiaries: the end user and the company that develops the product. The users are guaranteed that the product they are using has been designed using good security practices and that it is certified to the highest standards against attacks and vulnerabilities.
The company, because the implementation of any security framework in its SSCS guarantees that in the future it will not have so many problems to fix, avoiding having to continue spending money and resources on fixing vulnerabilities.
How does Software Supply Chain Security fit into larger IT initiatives? and business initiatives?
SSCS is still growing, and organizations are trying to embed the framework in development practices. This has become a key initiative for business and in turn a key security risk for IT to address.
What does Software Supply Chain Security mean for privacy? For compliance?
Data privacy and related regulations compliance is not directly related to SSCS, even though the software product and service itself must be compliant. SSCS focuses more on security with regards to vulnerabilities in malicious attacks, and some attacks can lead to data privacy breaches. So, the meaning SSCS has for privacy, and privacy compliance, is that it ensures that risks of malicious attacks that can potentially expose private data are mitigated.
Conclusion
We sincerely thank Marc Bernal, Encora’s Full Stack Software Developer, Ankit Agarwal, Head of IT Infrastructure and Governance, and Andre Scandaroli, Software Development Manager. The focus of this piece, Software Supply Chain Security, is one of ten technology trends featured in Encora’s 2023 Technology Trends eBook. You can read the eBook in its entirety by visiting Encora’s 2023 Technology Trends.
"While SSCS is already an important factor this year, it will be even more so in the coming years. As malicious attacks are on the rise, and open-source products are increasingly being used by private companies, they will have to start implementing SSCS if they want to be competitive, secure and trusted by users."
Marc Bernal, Full Stack Software Developer
References
1. Sonatype. 8th Annual State of SCSS. https://www.sonatype.com/state-of-the-software-supply-chain/introduction
About Encora
Encora is a digital engineering services company specializing in next-generation software and digital product development. Fast-Growing Tech organizations trust Encora to lead the full Product Development Lifecycle because of our expertise in translating our clients’ strategic innovation roadmap into differentiated capabilities and accelerated bottom-line impacts.
Please let us know if you would ever like to have a conversation with a client partner and/or one of our Innovation Leaders about accelerating next-generation product engineering within your organization.