Open-source software makes up 80% to 90% of all software. Much of that is built on deeply buried open-source components. And, far too often, your own developers have placed passwords and secrets in that code. That's not an exaggeration. According to the SANS 2019 Cloud Security Survey, "Last year 50% of all breaches were traced to misuse of credentials, which frequently are found in code." That's where the just launched BluBracket comes in.
There's a real need here. Prakash Linga, BluBracket's CEO, explained in a Linkedin post:
"A security researcher recently reported he could crack the software running a Boeing's 787 through VPN credentials and code found on a public software repository. Just through some 'clever Google queries,' he was able to deconstruct the plane's networking system through the code."
In a press release about BluBracket's launch, Linga continued:
"Just as we've seen hackers exploit tools like email, they are now exploiting code and code sharing tools like GitHub. For many companies their intellectual property is now encased within code, not documents. Until now there hasn't been a tool to secure code that doesn't interfere with developers' productivity."
The result is, as Linga pointed out, CIOs, CTOs, and CISOs often can't answer such simple questions as where is their code, who has access to it, and where did it come from?
In short, the modern software supply chain's security is broken. As The Linux Foundation's Core Infrastructure Initiative (CII) recently noted in its latest study, many vital open-source programs still live in individual developer accounts. "Of the top 10 most-used software packages in our analysis, the CII team found that seven were hosted under individual developer accounts." Scary isn't it?
With BluBracket's products and services, you can:
- Discover and classify code. Companies can run a BluPrint of their Git environments to understand where their code is and who has access to it. They can also classify their most critical code for a detailed chain of custody information for any compliance or audit needs.
- Detect and monitor your risks. BluBracket can detect secrets in code, misconfigurations, and other risks and ensure that no sensitive passwords or tokens are being misappropriated, mishandled, or misused.
- Protect valuable code. All the visibility, alerting, and remediation needed to take action and protect code investment from both insider and outsider code theft or unauthorized publishing to open source.
- Enforce security policies. BluBracket bridges the gap between your security, development, and DevOps teams by making security policies actionable and enforceable in your CI/CD pipeline.
The point of all this is so you can still get the speed of DevOps and using such code management and sharing sites as GitHub and Stack Overflow while using open source and still protect your code. Source code is just too valuable an asset to leave exposed, with security and engineering teams having no insight into where your code has been cloned, exposed, or stolen.
"Open-source code and tools have taken over the software development lifecycle," said Jim Zemlin, the Linux Foundation executive director and BluBracket board member in a statement. "We've seen tremendous innovation driven by these changes, but we've also seen traditional models and tools struggle to keep up with the pace set by developers and DevOps. Code security that respects developers' productivity is a critical need for companies who see software as the foundation of their competitive advantage."
The bottom line is the software supply chain has grown ever faster and ever more open, but code security simply hasn't kept up. If you want to see if BluBracket can help you keep your development speed up while adding in some fundamental security, you can check out a live demo of the BluBracket programs. In today's "blink twice and there's a new security hole," it will be worth your time.