Two individuals working on various components of 'supply chain' software.
The below piece I wrote for the AFCEA Cyber Edge Writing Contest, Feb 2022. It was exciting to write something very free-flowing without having to worry about links, references, and all the typical academic citations. So, with that mention out of the way, I hope you enjoy reading my opinion piece as much as I enjoyed writing it. – Bill
Can We Trust Supply Chains Regarding Software?
This just in, hot off the press! Have you had trouble sleeping at night, tossing and turning while thoughts of the software supply chain are impacting your business operations? If you have, we’ve got the scope for you! Many businesses ingest software from complete applications to small library frameworks, which are incorporated into application development and then rolled out as a release for many end-users to consume and use. But one question remains: Are these safe to use, or should you roll your libraries? To better understand the question, we must first agree on what precisely a Supply Chain is and why it matters. A Supply Chain regarding software only is an ecosystem of open-sourced program code that you can essentially use for free depending on the license and rapidly speed up your development by not re-inventing the wheel. The dark side is that a malicious developer could inject malware into the codebase. It would impact all users who update to the latest releases and continue to use the library, unaware of the monster lurking in the dark.
Efficiency or Overhead
As previously mentioned, Supply Chains are great at speeding up development when you can use a trusted package and implement it into your application. However, you must have explicit trust with the developer to rely on the ingested software libraries or frameworks to be used. You gain efficiency when you’re not re-inventing the wheel and using well-established third-party libraries. While this is great, the monster lurking in the dark is often unknown of when and where it might strike, and to mitigate this type of Supply Chain Attack, you would either incur the overhead of developing the library needed on your own. Often leading to more costs within your project due to the additional work requirements, and last I checked, nobody was working for free.
Even if the cost was not an obstacle, do you want to continue developing libraries previously created and trusted things by over 300,000 other developers? What about when you see prominent company names listed as consumers of the open-sourced product? Does it build your trust? It may, but it should also have you asking yourself: How do they mitigate risks when using these systems? Also, Can I compete with the budgetary requirements to reduce risk, or do I just pay out the damages when a breach occurs? Leading us into the realm of mitigation and how it helps reduce risk by utilizing supply chains!
You trust the developer, but what happens when they decide to part from the library development and a new developer comes in and takes over? Do they continue to have the same level of trust? If you answered other than no, you might want to reflect on the question. Many supply chain attacks have occurred with the transfer of ownership to a new third party to maintain the library. Many companies utilize pinning for library versions or application versions to help mitigate the attack vector, which, as described above, would be in the form of a new release to be downloaded and consumed within applications. Other approaches involve cloning complete copies of required packages and verifying updates before moving the main codebase to the latest version.
The realm of mitigation can be never-ending, and it’s why we suggest performing research into the specific supply chain which you’ll be consuming to deliver your product potentially. Use real-time data to formulate a data-driven approach to understanding what decisions you need to make and how to make them. As an example, do you use a third-party library within your application? What happens if there are significant flaws and you are forced to find a new package? Have you elected a backup library that can facilitate a sound security posture while giving you the flexibility to find a better library or create a custom library? What if your business sells used cars? What happens when the microchip levels deplete and it’s difficult to place orders, or they’re back-ordered for months on end? These are some of the complexities faced when dealing with supply chains you rely on for your business to operate.
All is working well; you’ve maintained your library versions and have pinned everything down with required inspections before promoting upgrades into your main codebase. Unfortunately, a new monster has reared its ugly head, and it likes to be called the unknown wrench. For example, Covid-19 was quite the unexpected wrench tossed into the works and has continued to cause supply chain issues since early 2020! Nearly two years onward, Covid-19 has impacted various aspects of life and, most importantly, has shown how unforgiven supply chain operations can be. Just in time, shipments were affected from having a large portion of the workforce responsible for transporting goods being out of work sick with the virus. Developers impacted by Covid-19 were not updating security vulnerabilities discovered in libraries, and the list could go on and on here. The crucial focal point here is: No matter how much you plan, there will be unexpected events that take the whole industry by surprise, and it’s how we react to address these weaknesses that matter the most. Disruptions will occur and need to be a focus of supply chain weaknesses which will need to be mitigated. Read more about how Covid-19 impacted Supply Chains around the world, look at https://sscs.mit.edu, and see more about supply chain sustainability.
Software Only? Not so fast!
Supply chains are not just software-related as there are many different chains that people rely on for supplies. Covid-19 was a great way to showcase how various supply chains were impacted and how they continue to be impacted. But everyone is globally affected, regarding producers and consumers. The same is true for the software developers who consume software libraries from repository managers like NPM – Node Package Manager. Anyone within the community downloading and importing these libraries would equally be impacted by malicious code being introduced into the supply chain. What happens if a farm changes ownership and the new owner isn’t up to par with quality standards? Lettuce is shipped out with potential contaminants, and that would, in turn, impact all the consumers of the lettuce, which would have an immediate impact with a recall and different effects on the supply chain. Also, would this be called an amplified supply chain attack since you’re now doubling efforts to perform the recall? Remember that supply chains aren’t limited to software or software libraries only. The whole internet is a supply chain, from all the Internet Service Providers to the consumers and everyone responsible for services in-between.
Risk vs. Cost
Strange events will happen, and it’s how your business reacts to them. Supply chains are great and can serve a healthy purpose within your operations; however, it is worth keeping associated costs minimal. So, factor in costs aspects related to but not limited to transportation costs, procurement costs, production costs, quality costs, inventory costs, and upkeep costs. Utilizing supply chains in software development is quite different from taking risks for lower quality parts from various manufacturers with lower quality standards. Those lower-quality parts failed much faster than genuine parts, resulting in over two dozen crashes that killed multiple people and led to industry comprehensive safety regulation updates. A result of supply chain services having issues at various levels, and as a consumer, you may not even be aware of it.
Understanding Supply Chains
It’s nearly impossible to fully understand every supply chain or the intricate details within various chains. The current supply chain weaknesses impacting the global community are quite possibly here to stay for good or for a long time. From training and education to filling positions previously held by a skilled worker, it will take time. The best way to understand supply chains is to let your business strategy work for you and dictate the supply chain requirements.
Logistics at Amazon have resiliency built-in and they can transport and move their goods while the traditional supply chain is breaking down due to the workforce not being able to keep up with demand. So, is the future of supply chains shifting to have significant companies handle their supply chains? Possibly, but in the realm of software development, it’s not that easy. Nothing drives innovation faster than having problems that are bleeding your bottom-line dry.
Trust or Not to Trust Supply Chains
After understanding a few limited complexities of utilizing supply chains and what risks can surface for your business operations, the benefits of rapid deployment of applications or products and services outweigh the negatives. If your business has something critical to its successful operations and outcomes, then you want to have redundancies in place by adequately planning contingencies when disasters strike, and even with the unknown wrenches tossed into the works; It is possible to plan still enough to adapt to changes and have a resilient architecture in place to keep the business operating smoothly.
Hearing that used parts for mechanical repairs is distributed in a supply chain that services major airlines with replacement parts for maintenance operations probably made your hair stand straight up. But it serves as a critical reminder that no matter what supply chain your business is operating within, you need to do your research and understand all the risks presented with the various vendors you’ll be doing business with. With more data-driven analysis, it’s possible to build statistics on vendors with quality feedback vs. vendors lacking positive feedback on the quality of services offered. So trust needs to be built rather than immediately given.
Nothing changes from my initial opinion even now from when I wrote this piece a few months back. I don’t trust Supply Chains explicitly ever and I always find open-source applications to scan libraries for vulnerabilities and have backups in place for when there are issues within a supply chain. I recommend you do the same and a great way to scan for library issues for software related supply chains is using Snyk! You can find them at snyk.io and they even have a free tier!