In a recent interview, Gitlab’s CISO, Francis Ofungwu, spoke about the evolution of workplace security, open-source software supply chain management, and the need for a holistic view of security solutions.
Francis pointed out that organisations are still in the early stages of resolving the challenge of remote working, but they’re more lost in managing the open-source software supply chain, including making sure the software they release has the trustworthiness required to keep the lights on.
He emphasised that the battle around open-source software is just beginning, and it’s hard to know exactly where the issues are due to the nesting dependencies and connections with the software we use today.
Francis suggested that the value of an “ass bomb” (Active Software Supply Chain Management Bill of Materials) lies in demonstrating exactly what the recipes or the components of your software are when the next vulnerable library is detected.
This will help reduce the time to resolution for supply chain incidents, which is currently going up due to a lack of full visibility into the components of the software and their nesting dependencies.”
Finally, Francis emphasised the need for CISOs and security teams to enable the front lines of users, developers, and engineers to be efficient in managing some risks proactively and escalating the things they can’t manage through the security team.
This is what scale looks like, and it’s crucial to ensure the well-being of security personnel who are tasked with managing the tangled mess of software dependencies and components.