Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever
Cloud-native deployments tend to be small, interchangeable, and easier to protect, but their software supply chains require closer attention.

Developers write code. That is how most people understand the job of a software developer. Reality, however, is more complex. While developers do write a lot of code, they almost never write all the code in the application. Where does the extra code come from? The Internet, of course.


Modern programming languages use building blocks in the form of packages to handle things like mathematics, text manipulation, and networking. This makes a lot of sense. There is no need for each programmer to write their own algorithms for basic operations. Many programming languages also support (and often encourage) modular programming, making plug-ins available to handle more complex, well-defined tasks. Over time, significant libraries of packages and modules emerged, written by the community, and shared freely on platforms like GitHub.


The primary reason that organizations leverage open source software is to speed up development. Building an application entirely from scratch is extremely rare, and so an estimated 99% of codebases contain open source components, and up to 70% of enterprise code is now based on open source. Developers are busy merging ready-made parts with custom code to achieve the desired result without reinventing the wheel. DevOps is similarly an assembly process of container base images, open source middleware, virtual machine templates, and cloud services such as storage, networking, and Kubernetes.


When all of that is accounted for, only a fraction of an organization's computing power will be running internally developed code. The rest will come from external sources. For security organizations, this introduces a universe of risks.


A June 2020 cloud native software supply chain security important