Maintain an inventory of components
The most important open-source management practice that organizations should have is an inventory of which open-source components are used, and where, Mackey said. That s particularly important because of the way many organizations obtain their open-source components, Korren said. Very few organizations use open source directly from GitHub. A lot of them are getting a copy of the project and putting it into an internal code repository. Tsvi Korren
Teams need to go into their internal code repositories and understand whether something was written from scratch or their developers incorporated an open-source project, Korren added.
Mackey advised that when taking inventory, teams should reach beyond open-source software.
What are Supply Chain Attacks, and How to Guard Against Them The three basic categories of supply chain attacks, why they’re especially devastating, and what can be done to guard against them.
Remediation of the fallout from the massive breach of SolarWinds network management tools – which affected up to 18,000 organizations – could cost companies billions.
In the breach, the attackers were able to compromise the update process of a widely used piece of SolarWinds software. In cybersecurity circles, this is referred to as a supply chain attack – an especially devastating variety of cyber aggression. By compromising just one vendor, attackers may get access to all the vendor’s customers.