Virtualization Technology News and Information
Article
RSS
Codenotary 2022 Predictions: Big Year of Progress Ahead for Software Supply Chain

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

Big Year of Progress Ahead for Software Supply Chain

By Dennis Zimmer, Co-founder and CTO, Codenotary

The SolarWinds attack December 2020 sparked a movement to protect software - no matter where it comes from, who built it or where it is running: VM; container; bare metal. My prediction for 2022 is that we see a massive acceleration to define standards and frameworks for secure software development software distribution and software runtime.

While the U.S. Executive Order on Improving the Nation's Cybersecurity has already shifted the market priorities in 2021 into the direction of software and software supply chain protection, 2022 will have far more focus on that.

Just two years ago, a software bill of materials (SBOM) was seen as useless and not flexible to keep up with the speed of software dependency changes. But, today, and I expect even more so in the future, the level of automation in software development and delivery lifecycle allows a SBOM to become a powerful part of software protection.

Therefore, standards will become important so vendors can exchange the SBOM information with other vendors or customers in a simple and well-defined way.

We will see major development efforts to improve

  • Tighter integration of security advisories into decision making automation processes;
  • Short-lived certificates and certificate-less technologies will take over the current state of code signing;
  • Software pipeline immutability and protection;
  • Strict rules and systems to limit the use of third-party dependencies;
  • Integration of bill of materials into the build tools and environments, i. e. Docker, Kubernetes;
  • Secure, versioned, and tamperproof storage of SBOMs, vulnerability scanner results;
  • ML/AI based tools to detect unusual changes of workflows and build recipes;
  • Better visibility throughout the whole software lifecycle to know if a dependency is used in any application stack followed by enforcement to get it removed.

By the end of 2022, enterprises will have come a long way with a plan or implementation to achieve much better transparency in their software development, distribution, and runtime.

Companies ignoring software supply chain attacks completely will have a hard time in the coming years, as the attacks are getting smarter and harder to detect. It doesn't matter if ransomware came in through your own development efforts or a third-party application, the damage is done. And, the same is true for software leaking information, which can ruin a company's reputation or amount to million dollar fines.

Therefore, I won't be surprised to see a change when it comes to software purchase and maintenance as the buyer starts to ask for proper vulnerability and compliance checking of the software including evidence and sooner than later an always up-to-date list of used dependencies and libraries (SBOM) for every release or patch.

##

ABOUT THE AUTHOR

dennis zimmer 

Dennis Zimmer, co-founder and CTO of Codenotary, was previously the founder and CEO of Opvizor, a virtualization monitoring company. He has been working in the IT industry for over 20 years. Dennis has been awarded the VMware vExpert recognition (only 30 world-wide) for 11 consecutive years and has written 10 books and hundreds of articles, plus video training sessions for IT professionals.

Published Tuesday, November 23, 2021 7:29 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<November 2021>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
2829301234
567891011