“We know adversaries are going after the software supply chain with increasing frequency, right? Sophisticated attacks. We’ve got to get much smarter as a community on what it means to secure software.” That includes tracking and vetting components in including open-source software packages that might be riddled with vulnerabilities, or susceptible to being back-doored by foreign cyber-spies posing as open-source coding volunteers.
It is vitally important that we adopt methods to identify, procure and use only trustworthy software products. One easily achievable way to start this process of restoring trustworthiness in software products is to adopt and implement the CISA's Secure Software Acquisition Guide best practices for "Secure by Design" and follow the lead of NASA and GSA to identify and procure trustworthy products.
Prudent observations on the need for trust in the digital world are provided in a report from the World Economic Forum in 2021:
A functioning society is built on trust. Whether we’re drinking water from a faucet, riding an elevator or sending an e-mail, we’re trusting that somebody, somewhere, has taken the necessary steps to make sure that activity is safe. Trust is both a glue and a lubricant, holding society together and allowing its many parts to move smoothly. If trust can’t be made suitable for the digital age, the digital age won’t function.
World Economic Forum Davos 2021
Remember, risk always exists, but trust does not always exist.
Never trust software, always verify and report! ™
Always get the trust score before buying, installing or using a software product.