Development is happening more quickly than ever before, and Department of Defense stakeholders want more automation in software development and acquisitions.
Recent strategic initiatives from the White House to the DoD Chief Information Officer are driving increased development velocity and more use of open-source software components – which also face additional scrutiny with adjustments to foundational security frameworks. While this will clearly help warfighters keep pace in a complex, ever-changing environment, new security issues continue to emerge and adversaries have adjusted their tactics. How can these components be used safely and securely while continuing to reduce time to field?
DoD Development Modernization Challenges
A Status Quo Engineered for Failure
The status quo of defense-centric software development and acquisition is a critical national security risk. Software is evolving more quickly than ever before, and new initiatives are attempting to accelerate development processes, while relying on fundamentally untrusted software. While recent regulatory changes (including Software Bill of Materials mandates) have started shifting things in a new direction, significant gaps still exist.
The last year has seen a 400% increase in software supply chain-borne attacks, and a study by GitHub showed that over 80% of open-source contributions came from outside of the United States. These conditions contribute to an environment that is fundamentally hostile to DoD interests, while strategic directives and initiatives push more open-source reliance and faster development cycles.
Challenges with Existing Processes: A Need for Innovation
The DoD is leveraging untrusted software in the development of mission-critical applications, and with new emerging initiatives to streamline the Authority to Operate (ATO) process, they face competing interests: should they accept more risk, or continue to accept a lengthy time to field, even as adversaries continue to deliver and iterate at rapid pace?
While current efforts to establish a “Continuous ATO” (cATO) have made great progress on this front, clear capability gaps still remain:
- Reliance on Manual Efforts is a major issue. A continued push to do more with less means that time to field will continue to diminish, or stakeholders will simply accept more risk.
- Stakeholders Lack Insight into the risks they are accepting.
- Automated Controls Simply Don’t Exist for managing against problems proactively.
Defense programs need to incorporate a more scalable approach to managing software development-related issues to ensure quick delivery and safe utilization of software supply chain-related issues.
Components of a Robust Approach
Automated Analysis of Components
Automated Governance Controls
Addressing Challenges with Phylum
Phylum secures the software supply chain at the speed of modern development. We automatically analyze the entire open-source ecosystem – all day, every day.
The open-source ecosystem is large, sprawling, and rapidly evolving. The entire world relies on it to to deliver safe, smart software. Additionally, its contributions and evolution are essentially crowdsourced: private citizens, companies, and governments around the globe contribute to its development. It has allowed technology to evolve rapidly and helped amazing capabilities to be brought to life; now, it is now under attack.
Phylum was founded by U.S. Intelligence Community veterans to proactively defend against attacks from the emerging threat landscape and empower users to leverage open-source challenges with confidence – enabling automated management of open-source components in mission-critical systems.
The Results Speak for Themselves
Since early 2020, Phylum has built integrations with a wide array of open-source ecosystems, including the Node Package Manager (NPM), Maven Central, PyPI, RubyGems, and NuGet, which host all of the software packages underpinning mission-critical applications and infrastructure both across the DoD and around the globe.
In the last 90 days, Phylum has scanned over 1,000,000 packages, around 250,000,000 files, and proactively identified over 1,000 pieces of novel malware within minutes of publication. This represents one of a host of dimensions Phylum’s analysis covers:
- Authors – Including location and past behavior, such as known malware proliferation.
- Malware - Phylum performs automated, proactive analysis across the open-source ecosystem to identify malicious behavior before it infiltrates customer environments.
- Engineering – Phylum provides health information about packages under consideration, including how well maintained they are, and can proactively identify engineering practices dangerous which may result in supply chain compromises.
- Vulnerabilities – We provide insight into vulnerabilities in packages beyond simple database matching.
- Licenses – Phylum surfaces information about the legal compliance requirements included in software packages in the dependency chain.
These insights are drawn from continuous analysis and monitoring spanning a variety of data sources, both public and proprietary.
Additionally, Phylum provides security professionals, engineering managers, and business leaders with powerful tools to establish robust policies to manage supply chain risks before they evolve into problems.
Who is Using Phylum?
Phylum is currently engaged with a number of Air Force end users, including the 90th Cyber Operations Squadron, and Air Force Lifecycle Management Center (AFLCMC) organizations, including the Trusted Systems & Networks group, a Supply Chain Risk Management center of excellence.
Phylum’s commercial sector users include some of the world’s largest financial services institutions, as well leaders in both the defense industrial base and technology platform companies.