Rot in your foundation

Written by:

Wouter Knigge

I like to think there are some interesting similarities between software development and the construction industry. Both have adopted the use of pre-fabrication. Commercial buildings are now put together using pre-molded concrete to shorten the time to market. Similarly, developers build applications using frameworks for almost anything from database models to full-fledged front-ends to accelerate delivery. 

Today, modern applications contain and rely upon tens of thousands of open source and proprietary libraries, which offer a fast road to functional software. Great! But as with everything you outsource: check and verify. Make sure that you are building upon a solid foundation.

You can’t build a great building on a weak foundation.

I was reminded of the importance of this last weekend while working on my kitchen. An “easy” two-day project: moving our current kitchen island to a new location for future renovation and upgrades. The thought of this being a simple project was quickly dispelled once I had disassembled the kitchen counter.

Previously fixed bathroom leaks had traversed the ceiling beams, down the water pipes to the kitchen floor, and seeped into the wood under the floor. After 7 years of doing various construction jobs around the house, I am well aware of the shoddy work of the previous house owner.

Once you delve deeper, you can see the ‘quality’ of the work. 

Aside from tearing the boards off the floors and walls, there is no easy way for me to find out if and where other weak points exist. For now, I purchased a moisture meter to help me assess where the leak tracks, though this is more guesswork than a detailed analysis.

Leadership doesn’t need to rely on guesswork when it comes to software supply chains. The foundation, weak points, and dependencies can easily be analyzed, monitored, and managed. Several solutions can help organizations pull together an itinerary of the open-source libraries they depend upon and list application dependencies. This empowers teams to discover affected components and share vulnerability data, improving the visibility & security of software supply chains.

An organization’s “moisture meter” is a software bill of materials that can be generated using static code analysis. Any analysis should check all your application libraries, identify known vulnerabilities, and recommend suggested fixes. We call it Open Source Health and it’s our experience that too many development teams ‘set and forget’ the foundational components they build upon.

Know the base you are building on. Check and verify!

Experience Sigrid live

Request your demo of the Sigrid® | Software Assurance Platform:
  • This field is for validation purposes and should be left unchanged.