Welcome back to our two-part interview with Sonatype's VP of Security, Mike Griffin. In the previous installment, we began discussing how companies are made up of what they build, borrow, and buy, and how Sonatype helps with that they build (software) and borrow (source code).
Today's installment continues the conversation and focuses on what companies buy (procurement) to ensure that what they've built and borrowed run properly, and how Sonatype helps ensure that this process is secure.
What Are the Benefits of Mature Procurement Beyond Reducing Risk?
Mature procurement does more than just provide better safety, but can also lead to improved sales enablement. When you know what to expect from your vendors, you better understand the questions your customers will ask. This means you can provide better and faster answers.
One of the biggest problems is that organizations tend to delay implementing anything but basic procurement systems and practices. You'll find this is especially true when they're small. They choose to focus on other things because they don’t have the headcount to properly monitor and manage procurement security as they should.
However, your organization is a link in the supply chain that your customers are purchasing from. They want to know the health and hygiene of the companies they do business with. But part of providing that information about your own company is knowing the same things about the services and vendors that you’re bringing to the customer's table.
To put it simply: the correlation between sales and procurement is more relevant than you might immediately think. They're different lenses of the same function.
What Can Organizations Do Better Procurement-Wise?
As with our recommendations about what makes up software, the first step is to find out what makes up your company.
You should know:
-
What vendors you're using.
-
What you are using in terms of products and services.
-
What contracts are in place and whether or not they are standardized.
An example of low awareness of products and services in your environment (care of ProgrammerHumor.)
Keep in mind that your organization is made up of more than your own people, processes, and technology. You are also, to some extent, made up of your vendors and their own ingredients.
For example, Sonatype employs Amazon Web Services (AWS) and the technologies they use. It doesn't make up every product, but they are one of those key ingredients. So we have to know what AWS is composed of, and we need to answer those questions if our customers ask.
This isn't top-of-mind for many companies, but it's important. Take the Log4j vulnerability, for example, companies had to quickly find answers to these two important questions:
-
Is it in our product?
-
Are the services we rely on impacted?
Unsurprisingly, not many understood the vendors they were using. And if you don't know your vendors, you're certainly not aware of what technology they're using.
Sonatype tries to create easy solutions that empower organizations to take control of their procurement processes. When your organization knows exactly what's in their product, you know where to go if something needs an adjustment, has expired, etc. And this isn't something that can be pushed onto the back burner. These solutions need assigned care.
In the case of Log4j, many companies did not have the knowledge they needed, so they had to go about and perform a discovery. But discovery is only half the battle, after that, you have to figure out what was actually affected.
When Performing a Discovery, What Are the Major Areas to Look At?
There are four major pieces that you need to look at to assess the risk of your procurement processes:
-
The tools that go directly into your products, including open source component software.
-
The services and infrastructure that your products run on, like Azure and AWS.
-
The tools you use to create your products, such as development platforms like IntelliJ or Eclipse.
-
Any administrative or organizational business tools, like email or Zoom.
These are all entry points that put your organization at risk, and they are all connected to procurement.
Does a Procurement Process That's More Systematized, Standardized, Smarter, Better Result in a Better Company?
It's more about quality-in and quality-out. When you source quality components and technologies, you're going to get a better outcome. But while all those things need to be tied to a procurement process, it's not one-size-fits-all by any means. Larger companies will need very different procurement systems than medium or small companies.
How Does Someone Know If They Have a Good Procurement System in Place?
Ideally, procurement is not long and laborious. It's clear, transparent, and automated as much as possible. The ultimate goal of good procurement is to create a healthy organization. A mature process allows you to manage risks both known and unknown, and to suss out unknown risks in a very efficient and scalable manner.
With good procurement, you know what you're consuming and what goes into your product. The next Log4j will come along, it's not an "if," and if you know what makes up your company, the reaction can be immediate. You can look at the code and throw it out if needed, or repeat it if that's what needs to be done. The important thing is that you get those answers ASAP. Any organization will be better off with eyes on all the risks.
And returning to what we talked about earlier around sales enablement, you'll also be able to answer important questions from your customers during a stressful time. Your ability to quickly respond to questions about environmental things outside your immediate control – such as cloud services – will improve when they're well-managed. Knowing these things also allows you to shorten lead times for sales processes, and of course, it shortens your vendor procurement processes.
How Does Someone Who Has Realized How Important This Is to Their Organization Get Started?
You might not be able to evaluate everything, but a good place to start is with what you're paying for – just a basic evaluation. If they're core to your company and being paid for, there should always be some consideration. This sounds incredibly obvious, but it's not being done by many.
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.