Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Contact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
News

Our 2023 technology trends & predictions for software security

Chainguard Team
December 15, 2022
copied

We’ve just passed the 1-year anniversary of the log4j vulnerability, when this time last year many of us spent the holidays navigating, patching and scratching our heads about what it's going to take to stop the next software security endemic from striking. Today, log4j still lingers on with 72% of organizations still vulnerable, according to Tenable. But in all, it's remarkable to look back on that dark place we found ourselves in a year ago, and all the great work that’s been accomplished by so many in the open source community since.

One thing that’s become evident to everyone (that didn’t already know) is that software supply chain security isn’t unique to open source…but open source IS uniquely positioned to address it. Chainguard CEO Dan Lorenc recapped more thoughts on the ecosystem’s past year in open source software security on LinkedIn today – check it out!

As we get ready to kick off a new year, we asked our Chainguardians to look into their crystal balls to predict what 2023 will hold for software supply chain and open source software security. 

SBOMs, more SBOMs and more accurate SBOMs

“SBOMs will dominate in the enterprise, but SLSA and Sigstore will dominate in the open source software communities. Open source is more motivated by concrete threats and mitigations rather than regulation. This will lead to a mismatch in priorities and friction as enterprises focus on SBOMs first.” Dan Lorenc, CEO & Co-Founder

“Folks are going to start to figure out that not all SBOMs are created equal (bonus: with tooling!) SBOMs are all the rage, but there's been so much focus on HAVING an SBOM that folks aren't looking carefully enough at how well that SBOM reflects the actual contents of the image. So we will (hopefully) start to see more scrutiny of SBOM content (vs. presence) and (hopefully) tooling that helps to ~score SBOM accuracy and coverage.” Matt Moore, CTO & Co-Founder

“Tooling will finally coalesce to allow doing useful things with SBOMs. Security vulnerability scanners such as Trivy are already gaining support for SPDX 2.3 SBOMs. Other tools such as license compliance tools will, like Trivy, shift away from doing SCA themselves, to consuming and aggregating SBOM data. SBOMs will then, finally, become a universal representation of the composition of software packages. The result will allow users with high quality SBOMs to perform all kinds of analysis on their software packages.”Ariadne Conill, Principal Software Engineer 

In 2022, people will start looking inside of their SBOMs. As 2022 draws to a close, SBOMs are moving to a new phase. Legislation has driven the initial adoption effort and is now getting accelerated by procurement and compliance in the enterprise. As companies start looking into their bills of material from legal and technical optics, new questions are being asked about what is in them. I think we'll start seeing the rise of new tools to look into SBOMs and assure minimal quality levels of the data and how they describe software. Consumption tooling will also largely shape their contents as more and more people start to read the documents they get and problems parsing and finding data arise.”Adolfo Garcia, Staff Software Engineer 

Increasing adoption of software signatures and the great self-attestation debate

Sigstore will kill off PGP with the fire of a thousand suns. Ok, probably a little optimistic on my part, but keyless signing, and widespread adoption of digital software signatures across projects like Kubernetes can only grow at this point. Especially since Sigstore is so easy, and PGP is hard.”Jamon Camisso, Developer Experience Engineer

The software industry will adopt self-attestations and they will be almost entirely worthless. U.S. federal government agencies will start to require software supply chain self attestations to be produced in 2023. Many vendors will offer a service to create these documents. However, the contents will be so out-of-date or simplified so as to not actually secure anything. Although there is hope that in 2024-2025, agency requirements and vendor products will evolve to make this process useful.”Adam Dawson, Principal Product Manager 

“We’ll see 40M entries in Sigstore’s Rekor, which is the project’s  immutable, tamper-resistant ledger of metadata generated within a software project's supply chain. Sigstore has seen exponential adoption since its general availability milestone in October 2022 and we will continue to see the project’s momentum in open source software drive enterprise adoption of Sigstore’s software signing capabilities.” John Osborne, Software Security Architect 

A movement to reduce security debt 

“CVE Zero will be the new Inbox Zero. The same way inbox zero became popular to reduce the amount of time your brain is in your inbox, CVE Zero will be the new attitude to reduce the amount of time a developer wastes on CVE. Those who defend leaving CVEs in code will have less to stand on as new tools (like Wolfi) make this easier and the industry moves to take action to get away from noisy security debt.”Tracy Miranda, Head of Open Source 

Software supply chain security awareness 2.0 

I think 2023 will be the great year of software supply chain security awareness. We’re going to continue to see the upward trend of supply chain attacks. Companies in the target zone will put their roadmaps together to limit their risks. I believe one of the top items in these roadmaps will be gaining awareness of the software running in their systems, and understanding where it came from. While software supply chain security has been the hype as of late, I think 2023 is when we're really going to start seeing companies put real effort into safeguarding themselves (and meeting new, impending regulations) and this will start by having awareness of what software they're running and the weaknesses along their supply chains.”Kim Lewandowski, Head of Product & Co-Founder 

OSS Copyright risks and the rise of ChatGPT 

“We will start seeing Open Source projects being accused of copyright infringement, generating a legal risk to all users of the software. ChatGPT and copilot are being used to help write code. But these models were trained on existing code and in some cases will copy that code wholesale. Unless carefully vetted, this exposes users to potential copyright infringement claims.”Adrian Mouat, Product Manager  

Related articles
News
Join Chainguard at RSAC 2024: Immersive art, expert talks, and karaoke
April 26, 2024
News
A more secure (and smaller) Big Bang
April 9, 2024
News
Chainguard Images now available on Docker Hub
March 14, 2024

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.

Get started
Products

Chainguard Images

Solutions

Container Image Security

Vulnerability Remediation

Open Source Software Security

Compliance & Risk Mitigation

Software Supply Chain Security

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Chainguard love

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact
Contact