PostHole
Compose
Login
SE Radio 606: Charlie Jones on Third-Party Software Supply Chain Risks
Charlie Jones, Director of Product Management at ReversingLabs and subject matter expert in supply chain security, joins host Priyanka Raghavan to discuss tackling third-party software risks. They begin by defining different types of third-party software risks and then take a deep dive into case studies where third-party components and software have had cascading effects on downstream systems. They consider some frameworks for secure software development that can be used to evaluate third-party software and components – both as a publisher or as a consumer – and end by discussing laws and regulations with final advise from Charlie on how enterprises can tackle third-party software risks. Brought to you by IEEE Computer Society and IEEE Software magazine. This episode is sponsored by WorkOS.
Charlie Jones, Director of Product Management at ReversingLabs and subject matter expert in supply chain security, joins host Priyanka Raghavan to discuss tackling third-party software risks. They begin by defining different types of third-party software risks and then take a deep dive into case studies where third-party components and software have had cascading effects on downstream systems. They consider some frameworks for secure software development that can be used to evaluate third-party software and components – both as a publisher or as a consumer – and end by discussing laws and regulations with final advise from Charlie on how enterprises can tackle third-party software risks.
This episode is sponsored by WorkOS.
Show Notes
Related Episodes
References
Transcript
Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.
Priyanka Raghavan 00:01:02 Hi, this is Priyanka Raghavan for Software Engineering Radio. And today I have with me Charlie Jones, director of product management at ReversingLabs and a subject matter expert in supply chain security. He was formerly a consultant at PWC and has about 10 years of experience delivering strategic transformation initiatives specializing in cybersecurity third-party risk management and IT audit programs for various companies, across all the lines of difference. Today we are here to discuss the topic, Tackling Third-Party Software Risks and as you all have listened to the couple of episodes that we’ve done on software supply chain risks, I think this is going to be a very exciting show. So welcome to the show Charlie.
Charlie Jones 00:01:48 Thank you very much for having me. I’m excited to dive into third-party risk today.
Priyanka Raghavan 00:01:52 Okay, great. Is there anything else that you would like all our listeners to know about you that I haven’t mentioned?
Charlie Jones 00:01:58 No, I think you did a great intro. That was perfect.
Priyanka Raghavan 00:02:01 Okay, perfect. So let’s jump right in. But first thing first, I thought I’ll ask you for some definitions. So what are third-party software risks? Are they commercial off-the-shelf components or open-source components? Can you please define that for us?
Charlie Jones 00:02:19 Yeah, I think that’s a really good foundation to start with and I think the simplest way to understand this is by first defining and understanding software ownership. So I’d like to break that down into three distinct categories, first, second, and third-party components. So first party components are any part or module of software which you custom develops in-house as an organization, it’s often referred to as proprietary software. The second party is also considered internally developed, but maybe it comes from a different part of business which is legally separate. So part of your business that operates in a different country or region of the world or part of your business that is owned by or operated as a wholly owned subsidiary. And then you have third-party components and that’s anything that’s truly external to your business. So maybe that’s software developed by an open-source maintainer as you mentioned, or maybe some type of other third-party contractor or vendor.
Charlie Jones 00:03:14 Now Commercial Off-the-Shelf Software, sometimes you’ll hear it as kind of people refer to it as this acronym COTS is software that can be made up of any combination of those types of components for a second or third-party. But the distinction that makes COTS unique is that it’s made available for purchase through some type of public marketplace, which is why it’s referred to as commercial, but also that it’s ready for use without any intensive manual modification or coding, which is where the term off-the- shelf comes from. So essentially, it’s software that anyone can buy and use almost immediately without any major customization.
Priyanka Raghavan 00:03:51 That’s great. In fact, I think I learned something new today. I didn’t realize that even the components that we use from another subsidiary could also be considered as external, but that does make sense. So thank you for that. Now the next question I have is, do you have any numbers for us for how much percentage of an enterprise inventory is made up of third-party components?
Charlie Jones 00:04:14 This is a tough question and I think you’ll start to see my consulting background emerge here in this answer. But ultimately it depends, and I say that because it depends on the strategic direction of the business that is publishing or operating this software. I’ve worked with a number of companies who have formally adopted this kind of build first mentality in which they believe they have the technical resources and know-how internally where they can develop their own software that’s tuned to their very specific business requirements and they, truly believe that their own development will actually drive a competitive advantage in the market. I’ve also worked with organizations who have adopted a buy first mentality and that essentially means that they have a desire to get their product or service to market as quickly as possible. And so they’ve strategically decided upfront we’re going to buy whatever software our business needs to accomplish that market presence faster.
[...]
📄 rep-ossra-2023.pdf