Chain of Confidence: Ensuring Trustworthiness in Software Supply Chains

Yeah, it's not supply chains. 'cause you told me to do software supply chains, so here it is. So I'm gonna talk to you a little bit about trustworthy supply chains, hopefully. Okay, so there's the agenda that hasn't been filled in. When we talk about trust, it's not just about technical trust. Many years ago, back in the 1990s, bill Gates decided that his software IE windows and everything else was too buggy and too prone to crashing, which was true as anyone that used Microsoft in the 1990s will attest that it was quite often would just die. And he realized of course, that this isn't actually very good for business even though he dominated the, the software market even then. So he sent out an email to all 55,000 employees of Microsoft telling them that they need to up their game and as a company we need to produce better software.
And that's what happened. And gradually, Microsoft's Windows operating systems and various office software did get better and it had the effect of improving market share. I think they went out like 20% or something. And at the same time, Lou Gerstner, who was another kind of famous CEO in it had did the, the great IBM turnaround did the same thing. I say it wasn't more on on consumer software, it was on mainframes and things. But he realized the same thing that IBM had a problem. So the same thing happened. They improved the product, they improved the actual software and improved the business. So what I, what I'm saying here is a bit like yesterday that it isn't just about technical vulnerabilities, it's about what happens or what the consequences are. And if you can't trust your software, then your customers can't trust it either. And when trust breaks down, then people walk away.
When trust breaks down in, in a relationship, then that's usually the end of the relationship. When trust breaks down between countries, then we usually get war. So it's not great. So it's not just, as I said, a technical thing, it's also about the business. So if we get more into what we're talking about right now, coming up to date, the, the thing about Microsoft was that that was mostly business to consumer or business to business Software sold off the shelf. Today we're in a very, very different world. The software supply chain isn't just what you buy from vendors, it's increasingly what you develop in-house or what third parties develop in-house on your behalf. And it's very, very hard now to keep track of what's happening in your supply chain. And this, this picture, which I found I thought was actually a, a brilliant illustration of what happens because you are there as like, I dunno what the, the guy with the telescope looking, you know, to try and see what's happening, whatever that person is.
So right up close then he's got, you know, he can keep a fairly good or she can keep a fairly good idea on, you know, some system stuff going on and contract developers which are pretty close by. But as you go further and further into the mix, then this is actually an illustration of open source projects. Okay? So that's just one example. But as you go further and further back, it gets darker and darker, you know, opacity between what you can see and what's happening. And you could actually just keep expanding that chart and just gets bigger and bigger because the software supply chain now it's very hard to actually really say where it ends. So that's the, the challenge that we have. And the other challenge is every cybersecurity presentation will have a statistic, okay? Because it backs up what you're saying. So this is mine and this is from a company called Sona Type who actually do security for software. So they obviously have a vested interest. However, I do think that the 742% increased figure that they've published here is probably about right. I dunno. But talk to anyone and they'll say that there is a problem because attackers are looking to the software supply chain to find vulnerabilities. And here are some of the, the problems or the risk areas where trust is likely to break down in your chain. And these are just some of the things that, that you might face.
I don't go wanna go through them all, but malicious updates is one that has been significantly or has been in the news because of software supply chain has been attacked, has been inter intercepted by attackers. And instead of putting the right update that should go into the software that is given to your customers, they put a malicious one which then allows them to exploit in your customers, which, which is the worst thing that can happen. The other one I wanna point out is it's not just about technical choices. It's not just about whether you produce good code or not. It's also a compliance issue. And this is becoming even more of an issue. I mean, over the, the last couple of days people have been talking a lot about the various bits of like my colleague Marina was talking about this morning, A-G-D-P-R, et cetera.
And one of those things is the Cyber Resilience Act, which I think, I'm not sure, but I think it was likely to go through next year for the eu, obviously not the UK 'cause we're not in it. So what that states in this article 11, which is just one little bit of it, but if you, anyone in EU ha discovers a vulnerability in their software must declare it or make it public within 24 hours, which is even more stringent than GDPR, which I think is like 72 hours when you have to tell the world that you've been breached and this this is actually puts even more pressure on you because this isn't just did you find a breach? This means that if there is any, any kind of vulnerability anywhere in the software supply chain that you use, then you are actually obliged to tell people about it.
And of course it's, it's very controversial because there's two sides to the idea. One, some people say like, well it's okay to reveal a vulnerability because your customers should know. On the other hand, the people will say, well, well if we, if we reveal that, then we're gonna tell. All the hackers will know about it as well, which makes, they'll more like to attack. So this particular aspect of the the act is, is proving controversial and I'm sure you'll be hearing more about it as time goes on. And another good statistic, this is my second good statistic, is that there are apparently now 445 open source components on average in commercial software. Not, not just the stuff that's not commercial actually the stuff you're buying. So you don't really know what you're buying even though it's off the shelf, et cetera. So a lot going on.
So what can you do about it? Well these are some nice glib things that I like to tell people that they could do and it will solve all their problems. Like so automate where possible triage your vulnerabilities. So if you, not all vulnerabilities are equal, not all vulnerabilities are gonna like bring the house down or cause absolute Armageddon and you can ask for hot patching. Okay? So that's all very nice. But it's, there's, there's other things that can happen. And these are the, when we start talking about now the software supply chain and the software that can help with the software, supply chain security, these are some of the features that you might want to start thinking about and some of the things that you can do to improve software security. And again, the one that's probably, probably the one that you should think about most is not on this chart because this is an old chart, but nevermind.
So what I wanted to say is about this, the software bill of materials is what I was supposed to be on that last chart. A software bill of materials is something that is coming in the future. And I think it's one of the key areas of proving that your software is, is okay in, in United States now if you work for the government, any federal agency, they will demand that you can prove where your software came from. That's what software bill of materials means. And if you can't do that, then you can't work for the government. And what I'm predicting is that software bill of materials is likely to become a mainstream thing at the moment. It's kind of done in, in internally in house, et cetera. But I believe that one of the growth areas within all this is, is we'll be automated SBOM also the thing that goes with it, which is to do the pre software bill of materials.
So also I, I see that not only will software security become mainstream, but other parts of the kind of infrastructure, sorry, the, the, the ecosystem of identity management and cybersecurity will focus even more on DevOps and the cloud and helping developers who offer all of the ones that are creating this code help them to find the, the bugs in their software more quickly. And I think that is that while that is an identity and access issue is because at the moment we, we talk a lot about Kim, et cetera, and one of the reasons why Kim has emerged is because people want to make a, a better control of what's, who's doing what in the cloud. And that has largely been driven by the challenges of what developers are doing in the cloud because developers tend to work to their own rules, okay? So they tend to put secrets in the cloud, they tend to put little bits of code in the cloud.
So all that needs to be managed and I think that we'll see a coming together of software security and access management. Plus the final thing is for a long time now there's been a kind of subculture of, they're called security researchers. They are like white ha white hat hackers or people that, that look for bugs and they generally, you know, they look for a, what they call a bounty and stuff. And I think that will become more acceptable. I think they'll become more a consultancy thing. I think some of these firms will start to offer their services on a more commercial basis. And that's it. I I have to say that actually half the slides are missing from this. So I dunno what happened there. So that's why I finished with five minutes to spare. Yeah, well.