Automating security for DevOps means continuous analysis of open source software dependencies, vulnerabilities, and ecosystem dynamics. But the data is confounding: a flurry of reported vulnerabilities or infrequent commits that could be good or bad, depending on a project’s scope and lifecycle. JC Herz illuminates nonintuitive insights from the software supply chain, as well as tools and areas for further investigation.
Ion Channel analyzes software ecosystem data to risk rate code for continuous integration and delivery. But even well-defined data become slippery and ambivalent in this analytical domain. Each software ecosystem (Java, Python, NPM, Ruby, Go, etc.) is a little bit different, and each presents a unique challenge to the development of a unified model of risk from transitive dependencies and technical debt.
Vulnerability data seems straightforward, but diagnosis doesn’t always correlate with disease. It can actually be a sign of health. If a project has a lot of reported vulnerabilities, that could mean that it has been subject to a thorough review and is therefore low risk. To analogize to healthcare, people who get regular checkups have a lot more identified risk factors than people who don’t know they’re sick or people so healthy they never see a doctor. What security customers want to know is, where are unreported and uncorrected vulnerabilities lurking in my infrastructure? This is a wicked, high-dimensional problem because the data is both ambiguous and ambivalent.
Software supply chain analysis is a perfect case study in why conventional expertise and data science are best combined. Machine learning alone isn’t great at identifying risk when context varies and context matters. Old-school analog domain knowledge is massively useful—global logistics experts have a lot to teach us—but doesn’t account for the volatility and labor-market dynamics of open source communities and the ephemeral nature of the product.
It’s incredibly difficult, counterintuitive, confounding, and interesting.
JC Herz is cofounder and COO at Ion Channel, a data and microservices platform that automates situational awareness and enables risk management of the software supply chain. She has 15 years of analytics experience in healthcare and national security. JC was a White House special consultant to the Pentagon’s CIO office and coauthored the DoD’s open technology development roadmap. A published author, she has been contributing to Wired magazine since 1993.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com