Software Supply Chain Security and a Decoupled Architecture (feat. Tracy Ragan)
Software Development, Finance and AI20 Helmi 2024

Software Supply Chain Security and a Decoupled Architecture (feat. Tracy Ragan)

Tracy Ragan⁠ discusses software supply chain management and the importance of generating and consuming Software Bill of Materials (SBOMs) in decoupled architectures. She explains the challenges of managing libraries and dependencies in microservices and the need for aggregated SBOMs. Tracy emphasizes the importance of rapid response to vulnerabilities and the value of SBOMs in facilitating this response. She also discusses the requirements and industries for SBOMs and the role of SBOMs in analyzing and securing open source and commercial software.

Tracy introduces ⁠DeployHub⁠ as a DevSecOps evidence store that helps teams gain confidence in the use and consumption of open source software and enables rapid response to vulnerabilities.

Takeaways

  • Software supply chain management involves generating and consuming SBOMs to track libraries and dependencies in decoupled architectures.
  • In decoupled architectures, it is important to generate SBOMs for each microservice and aggregate them to understand the overall software supply chain.
  • SBOMs should be generated for every build and provide visibility into the vulnerabilities and dependencies of each component.
  • The quality of SBOMs is determined by their ability to facilitate rapid response to vulnerabilities and enable collaboration among teams.
  • While SBOMs are not currently required in all industries, their importance is increasing, especially in sectors like government and fintech. Understanding the impact of vulnerabilities is crucial for effective response and prioritization.
  • Rapid response to vulnerabilities is essential to minimize the potential impact on production environments.
  • Centralized data and information are necessary for effective vulnerability management.
  • Fixing vulnerabilities in open source software can be challenging due to the lack of accountability and maintenance.
  • Controlling open source consumption and managing the software supply chain are complex tasks.
  • DeployHub provides a DevSecOps evidence store that helps teams gain confidence in the use of open source software and enables rapid response to vulnerabilities.

Chapters

00:00 Introduction to Software Supply Chain Management

03:22 Understanding Architecture in the Context of SBOMs

06:12 Configuration Management in Monolithic Applications

07:39 Challenges of Decoupled Architecture in Microservices

09:20 The Need for SBOMs in Decoupled Architectures

11:15 Generating Aggregated SBOMs for Microservices

13:24 Generating SBOMs for Each Microservice

15:23 Generating SBOMs for Every Build

17:15 Managing Libraries and Dependencies in Decoupled Architectures

19:31 The Importance of Consuming SBOM Data

22:30 Generating SBOMs with Tools

24:28 The Format and Consumption of SBOMs

27:55 The Importance of Consuming and Analyzing SBOM Data

29:43 Requirements and Industries for SBOMs

33:29 SBOMs for Open Source and Commercial Software

36:01 The Role of SBOMs in Rapidly Responding to Vulnerabilities

39:05 The Value of SBOMs in Rapid Response Systems

43:13 Defining the Quality of SBOMs

44:06 Understanding the Impact of Vulnerabilities

46:03 The Importance of Rapid Response

48:35 The Need for Centralized Data and Information

50:27 Challenges in Fixing Vulnerabilities

52:14 The Accountability of Open Source Software

53:41 The Difficulty of Controlling Open Source Consumption

55:16 Introduction to DeployHub

57:43 Managing the Software Supply Chain

Tracy Ragan's Links:

Snowpal Products

Jaksot(416)

(Part 1/2) Repo-level project management using GitHub Projects

(Part 1/2) Repo-level project management using GitHub Projects

(Part 1/2) A little bit about GitHub Projects. #snowpal #projectmanagementKeep it simple. Keep it on https://snowpal.com.

21 Heinä 202210min

(Part 2/2) GitHub Codespaces: What is it, and how can we use it?

(Part 2/2) GitHub Codespaces: What is it, and how can we use it?

(Part 2/2) A little bit about GitHub Codespaces. #snowpal #projectmanagement Keep it simple. Keep it on https://snowpal.com.

21 Heinä 202218min

(Part 1/2) GitHub Codespaces: What is it, and how can we use it?

(Part 1/2) GitHub Codespaces: What is it, and how can we use it?

(Part 1/2) A little bit about GitHub Codespaces. #snowpal #projectmanagement Keep it simple. Keep it on https://snowpal.com.

21 Heinä 202210min

Implement menus: How hard can it possibly be?

Implement menus: How hard can it possibly be?

Say someone asked you to implement a "tiny" feature on an iPhone Mail App.Here's the (first part of the) requirement as Business provided it (to the dev team):- User can swipe right to left and when they do, 2 menu options should appear.- When you click on one of them, it should allow you to forward the email and when you click the other, it should archive it.Sounds simple enough?It should be simple till you get to the "the devil is in the detail" part. So, before I implement it, here are some questions I would have as a developer:- Can the user only swipe from right to left, or can they do vice-versa? And if they did that, what should happen?- If the user starts swiping but doesn't complete the action till they dragged it all the way to the very left, what should happen?- If the user swiped & performed an action but realized they were on the wrong item so wanted to undo, will they be able to do it? And if so, how?- Can they perform bulk actions? If so, is that a mutually exclusive action agnostic to the individual swipe?- After they swipe on one of the emails, say if they swiped on another. Will the subsequent action need to reset the state so the first one is now un-swiped?- Do we need to support multiple email accounts where each of them is rendered as a separate category? And if we did that, what should happen when a user swipes on one of the emails in each of those sections? Will that result in a reset of all states (of all other sections)?- And there's a few more I can think of off the top of my head but you get the idea.So, now, let me ask again:How simple is the design and implementation now? Did you have a change of heart and will you need to adjust your story points?"How hard can it possibly be?" :)#snowpal #projectmanagementKeep it simple. Keep it on https://snowpal.com. And just so that you can keep it simple, we do everything in our capacity to remove all the complexities. Rome was not built in a day as they say, and Snowpal 2.0 certainly wasn't either. We have built it brick by brick for your pleasure. Or, should I say, "swipe by swipe"? :)

21 Heinä 20227min

(Part 3/3) Thinking about building a new App? Not sure how to go about it?

(Part 3/3) Thinking about building a new App? Not sure how to go about it?

(Part 3/3) If you are thinking about building your first App (or a second one, or an Nth one), Congratulations! If you are overwhelmed and a bit unsure, that's completely normal. I share a few tips here that will hopefully help you get started if you are new to this! #projectmanagement #snowpal Build your first App! Manage it on https://snowpal.com.

30 Kesä 20226min

(Part 2/3) Thinking about building a new App? Not sure how to go about it?

(Part 2/3) Thinking about building a new App? Not sure how to go about it?

(Part 2/3) If you are thinking about building your first App (or a second one, or an Nth one), Congratulations! If you are overwhelmed and a bit unsure, that's completely normal. I share a few tips here that will hopefully help you get started if you are new to this! #projectmanagement #snowpal Build your first App! Manage it on https://snowpal.com.

30 Kesä 20227min

(Part 1/3) Thinking about building a new App? Not sure how to go about it?

(Part 1/3) Thinking about building a new App? Not sure how to go about it?

(Part 1/3) If you are thinking about building your first App (or a second one, or an Nth one), Congratulations! If you are overwhelmed and a bit unsure, that's completely normal. I share a few tips here that will hopefully help you get started if you are new to this! #projectmanagement #snowpal Build your first App! Manage it on https://snowpal.com.

30 Kesä 20227min

(Part 2/2) Design Strategies: Mobile First vs API First vs Web First (vs Database First!)

(Part 2/2) Design Strategies: Mobile First vs API First vs Web First (vs Database First!)

(Part 2/2) What is a Mobile First Strategy? How different is it from an API First Strategy? Are there other alternatives? What's the best way to go? #projectmanagement #snowpal Mobile First, or API First? Plan it on https://snowpal.com.

30 Kesä 20225min