It may take decade to shore up software supply chain security, says infosec CEO

interview The more cybersecurity news you read, the more often you seem to see a familiar phrase: Software supply chain (SSC) vulnerabilities. Varun Badhwar, founder and CEO at security firm Endor Labs, doesn't believe that's by coincidence. 

"The numbers are going to go from 80 to 90 percent to maybe 95, 98, 99 percent of your code in an enterprise environment would be written from basically untrusted, unvetted sources," Badhwar, referring to the proliferation of open-source software packages, told us. "The software supply chain is going to be the next frontier of cybersecurity and cybersecurity attacks." 

Getting around those sorts of problems is going to require good documentation, Badhwar told us, which he said includes reliable software bills of material and better vetting of open-source libraries. You can watch the full video below.

Youtube Video

Badhwar, whose company sells SSC management automation products, naturally believes automation is the solution for better software supply chain management, but even still he told us good software isn't the sole solution.

"Malicious code does not pop up as a CVE or of known vulnerability in your vulnerability database," Badhwar added. So, what's an enterprise to do? "You need to go back and retool your entire organization looking at the top risks around open source," Badhwar advises.

But lest you think that's all we have to do to better protect ourselves from software supply chain exploits, we're nowhere near a stable SSC yet.

"In baseball analogy, we're probably in the first or second innings of this, and we still have a long way to go," Badhwar told us. It could be as long as a decade for us to get this whole mess under control.

You can watch our full interview above. ®