How Do We Protect the Software Supply Chain?

DETROIT — Modern software projects’ emphasis on agility and building community has caused a lot of security best practices, developed in the early days of the Linux kernel, to fall by the wayside, according to Aeva Black, an open source veteran of 25 years. “And now we're playing catch up,“ said Black, an open source hacker in Microsoft Azure’s Office of the CTO “A lot of less than ideal practices have taken root in the past five years. We're trying to help educate everybody now.” Chris Short, senior developer advocate with Amazon Web Services (AWS), challenged the notion of “shifting left” and giving developers greater responsibility for security. “If security is everybody's job, it's nobody's job,” said Short, founder of the DevOps-ish newsletter. “We've gone through this evolution: just develop secure code, and you'll be fine,” he said. “There's no such thing as secure code. There are errors in the underlying languages sometimes …. There's no such thing as secure software. So you have to mitigate and then be ready to defend against coming vulnerabilities.” Black and Short talked about the state of the software supply chain’s security in an On the Road episode of The New Stack Makers podcast. Their conversation with Heather Joslyn, features editor of TNS, was recorded at KubeCon + CloudNativeCon North America here in the Motor City. This podcast episode was sponsored by AWS.