Software Should Come with a “Nutrition” Label

0
35

By Tae Jin “TJ” Kang, CEO, Insignary, Inc.

During the latter half of the 18th Century and throughout the 19th Century, the Industrial Revolution fundamentally changed the geographical, political and commercial landscape in Europe and the United States. Citizens that had previously lived in predominantly agrarian, rural societies found themselves in living in urban and industrial ones.

This industrial and decidedly technological shift in the Western economies meant that people became focused on creating, building and selling more specialized products and services. While businesses produced a seemingly endless variety of higher quality products, the sheer amount of choice engendered consumer confusion and some fraud.

By the start of the 20th Century, consumers were often lied to in advertisements and the composition of the food and medicine they were consuming was difficult to determine. In 1906, the United States passed the Food and Drug Acts. Still in effect today, they prohibit interstate commerce in misbranded and adulterated foods, drinks and drugs.

In 1990, the Nutrition Labeling and Education Act was passed. It required all packaged foods to bear nutrition labeling and all health claims for foods to be consistent with terms defined by the U.S. Government. As a result, the food ingredient panel, serving sizes and terms such as “low fat” and “light” were standardized. It is almost inconceivable that a consumer would purchase a product without this information today.

Why should software be any different?

Consumer data and privacy are put at risk daily by the software they use in the PCs, smartphones, tablets and other consumer devices. The software-based services they use are also at risk. Their retailers’, banks’, credit monitors’ and governments’ systems are being hacked at a higher frequency and cost.

Open Source Software – Boon & Bain

A great deal of this is due to the increased use of open source code elements in software today. It is estimated that more than 90% of the software in development and use today contains open source. Its use is tied to its ability to be quickly integrated, delivering tremendous levels of innovation. However, this innovation comes with a cost. In 2018, 16,555 known software vulnerabilities were published by the National Vulnerability Database (NVD), a new record.

The open source community is now constantly finding and publishing new security vulnerabilities. Consequently, known open source software vulnerabilities become a road-map for hackers to target and attack businesses’ systems. Those systems that contain known vulnerabilities that have been left unpatched or unaddressed are likely to fall victim to data loss and theft.

Build Your Own Software Composition “Nutrition” Label

Be it developed in-house, custom-built by a third-party, off-the-shelf or some kind of amalgamation; the level of software sophistication and complexity continues to grow rapidly. Someday, in order to better protect businesses and consumers, governments may mandate, as they have in the food and medicine industries, software composition or “software nutrition” labeling.

Until that day comes, businesses should require their software vendors to provide them with this information. Unfortunately, not all software vendors provide this information citing many reasons, such as protection of proprietary IP, among others.  Smart businesses can take a more proactive approach by analyzing third-party software and building a software component list of their own.

While a great deal of the code delivered today to enterprises is accompanied by documentation that lists the software components, many third-party vendors do not provide their clients with the list of software components.

Additionally, third-party software products are likely to be a combination of in-house developed and procured code. This makes analyzing and tracking open source software elements incredibly challenging. Given that this code is delivered in binary format, businesses have had to take the composition documentation on faith.

New fingerprint-based binary scanning technologies make building a software “nutrition” composition label relatively easy and straightforward. Additionally, these scanners find small, open source code elements, catalog them and match them against databases of known security vulnerabilities. If they find vulnerabilities, they alert the DevOps and security teams so they can be addressed.

Like the vendors at the turn of the 19th Century, software providers are coming under ever-increasing scrutiny by their enterprise, SMB and consumer customers. In order to increase brand trust and reap larger profits, software vendors should look to provide the most accurate software composition documentation with their binary files. Until that time, business software purchasers should look to protect themselves and their downstream customers from potential data theft and privacy loss by leveraging fingerprint scanning technologies to accurately understand the composition of their software, before it is deployed.

About the Author

Tae Jin “TJ” Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number of successful technology startups, Mr. Kang has held senior management positions with global technology leaders that include Korea Telecom and Samsung Electronics, among others