It's not a supply chain, dummy!
Hello friends! Hope your weekend plans did not go to shit because of some open source library you have no clue if it's being used in your environment or not because, well, let's face it: nobody fucking knows these things. Nobody has time for this. YoloOps is alive and well, boys!
Here's the thing that you will absolutely see written everywhere by some dumbass sycophant: "We need to secure the software supply chain!" Sure thing, bro. One problem, though: in order for a supply chain to be a supply chain, the chain must be comprised of suppliers. The masochist hero maintaining that library you just npm install
without even thinking about it is not your fucking supplier. Suppliers, generally speaking, get paid. And I shit you not: I've heard of instances where the maintainer of some F/OSS library was asked to fucking fill out a goddamned third-party risk assessment questionnaire by some actual organization. My dudes... What?
I don't want to rehash the whole conversation around the ridiculous nature of this arrangement because it is simple: a lot of these folks work for free, get very little support, and are obviously ripe for nation-state shenanigans. Entities that want to compromise software at this level are not lacking the time or the budget, and we can categorically state that the same is not true for the people working to keep the plumbing from collapsing. The amount of abuse these folks endure every day from the people they are serving is astounding. The entitlement is real, and I honestly envy the self-control these folks have because I would've blown everything to shit years ago.
And that's another thing: you can demand shit from your supplier. You can tell your supplier to deliver the things you're paying them to deliver. You don't get to do that to the poor sap maintaining the piece of software that holds your whole fucking business together like duct tape. What you should do is support that poor sap in any way, shape, or form you can. But you're a business, right? Unlike the poor sap, you don't do charity. So you just chug along, exploiting the work of anyone who crosses your path. But when shit hits the fan, you don't even know how to deal with it because you're a lazy piece of shit CISO who's preoccupied with sounding smart on LinkedIn and calls fancy autocomplete "GenAI."
You don't know how to deal with it because you don't care. And you don't care because good, sensible, effective, foundational cybersecurity doesn't get you that big budget. It doesn't get you that extra headcount. It doesn't take you to a nice vacation in San Francisco RSA where you can tell your equally demented peers about your plans to replace everyone with bots.
But guess what? The bots are just as stupid as the junk you feed them. Let them bots loose, and watch what happens. I know everyone's heard some variation of this "It's not what it does, but what it does it to, and what it does it for" spiel, and, hopefully, everyone knows by now what the Luddites were all about.
So, big tech, medium tech, small tech, and non-tech are all keen on taking without giving back. You will obviously find the oddball company here and there that will employ F/OSS developers and pay them to maintain the popular things. There are companies that donate money to F/OSS foundations, collectives, projects, and whatnot. Companies that earnestly want to give back, and companies that will embrace commercially viable F/OSS projects, throw some money at it, and change the license so it's not really F/OSS anymore. But that's for the big stuff. No one is going to look at things like xz
.
I'm sure someone's done the math on how much money is generated by companies that are pretty much built on F/OSS and what percentage of that money goes back to the people maintaining said software. My back-of-the-napkin calculation yields the following result: not fucking enough. So, no. You don't get to call it supply chain.
Join our Discord and help us figure out ways to empower cybersecurity professionals, raise awareness, and change this industry for the better.
- Previous: Cybersecurity is broken
- Next: Data protection for dummies.