More than a decade ago, Marc Andreeson famously declared that “software is eating the world.”
The Silicon Valley venture capitalist’s comments came as he looked back at the creative disruption caused by the 1990s dot-com bubble and the “dozen or so new Internet companies like Facebook and Twitter sparking controversy in Silicon Valley.”
But he also observed in 2011 that an increasing number of major businesses and industries were being run on software and delivered as online services — in effect, “overturning established industry structures.”
“Over the next ten years, I expect many more industries to be disrupted by software, with new world-beating Silicon Valley companies doing the disruption in more cases than not,” he wrote.
Fast forward to today, and Andreeson’s comments still ring true. But in an interesting update, McKinsey has suggested that the slogan — ”software is eating the world” — should be reworded to “software is the world.”
The linguistic tweak leaned on findings from McKinsey’s research, which showed that almost seven in ten top economic performers used their own software to differentiate themselves from their competitors.
Of course, the software being discussed is far from the monolithic, all-in-one solutions hosted on-premises. Instead, today’s forward-thinking organisations prefer flexible, user-friendly applications that are scalable and can be rolled out at speed.
It’s an approach followed almost universally today since it removes many obstacles to digital transformation that might otherwise prevent employees from being more innovative, efficient, and productive.
But it has its problems.
The challenges of securing modern applications
Today, applications tend to be based on multiple microservices loosely coupled together to create a more modern architectural and organisational approach to software engineering. Typically, these are decentralised across multiple platforms.
It’s a tactic favoured because it enables businesses and organisations to deliver large, complex applications quickly. The snag is that this way of working can make it difficult for users to visualise and understand the entire application.
Worse, it can lead to increased security exposure. Unless properly insulated and protected, cyber criminals or hackers may be able to gain access to the entire application via a single insecure microservice. And if these security incidents can’t be seen, it would be almost impossible to identify the threat — let alone respond to and even prevent them.
Then there are the challenges brought by open-source. In nearly every modern application, open-source code can be a valuable resource for developers. However, researchers at application security company Synopsys found at least one vulnerability in 84% of commercial code bases.
And one vulnerability is all that an attacker needs to do untold damage.
The good news is that while modern applications’ security challenges are real, they are not insurmountable. Instead of returning to monolithic legacy software, organisations can embrace modern application development while ensuring security by taking three steps:
1) Increase visibility into complex IT environments through observability
It doesn’t matter whether it’s a fault in a car engine, a laptop, or a toaster — you cannot fix a fault until you can identify the problem. That’s why observability is such an important tool.
Observability solutions provide real-time visibility across an entire IT estate, which is essential for the secure development of modern applications. Having a clear view of an entire infrastructure enables IT teams to quickly identify and resolve security issues before they develop into significant problems.
2) Build in security with a ‘shift left’ approach to testing
There’s a general rule of thumb that you can’t really test anything until it’s been built or created. Want to see if a kite will fly? Build it, wait for the wind to blow, and then give it a whirl. If it fails to take off — or comes crashing to the ground — it’s probably worth returning to the drawing board.
It’s an approach to testing that is almost universal — and that includes software.
But what if that testing could occur earlier to identify issues even before they arise? What if you could identify security issues during — not after — the build phase? In effect, that’s the principle behind ‘shift left.’
Traditionally, security checks occur in the ‘testing phase’ after the software has been written and pulled together. However, what if an issue has already been programmed into a device early in its development? If that’s the case, the DevOps team will have to work retroactively and unpick work already done. This can slow down the process and inhibit a thorough application review.
Implementing the ‘shift left’ approach improves the development process by embedding security measures sooner. This enables DevOps teams to identify vulnerabilities during development — rather than after the project is completed.
In this way, DevOps teams can streamline this process by having security at the forefront of their development process, enabling them to deliver safer and more reliable products.
3) Be transparent by utilising a software bill of materials
Now, more than ever, the technology industry needs to be transparent — especially since cyberattacks are becoming more sophisticated and instigated increasingly by rogue nations.
That’s why a Software Bill of Materials (SBOM) is so important. It’s a structured list of all the components and dependencies that comprise a piece of software. It serves as a comprehensive inventory of the various software elements used in an application, including open-source libraries, third-party components, frameworks, modules, and other software assets. Each component in the SBOM provides a clear view into the software supply chain, helping developers identify and address vulnerabilities.
For example, if a new vulnerability were to be discovered in an open-source library, an SBOM helps to pinpoint the affected applications and prompt the appropriate teams to take action. Knowing what materials are going into development also helps predict the final product’s functionality, as process developers can identify points of concern from the start.
The trend for modern software applications is something that should be embraced since it brings a host of benefits. And it goes without saying that it’s a vast improvement on the on-prem, monolithic, all-in-one solutions of the past.
However, the quest for function-rich, easy-to-use systems should not be sought at the expense of ensuring security is built into applications. Any vulnerabilities introduced at any stage increase the risk of a security breach.
However, by using observability tools, by ‘shifting left’ and testing much earlier in the software development process, and adhering to best practises such as SBOM, organisations can find a balance between embracing new technology — and profiting from its benefits — while also ensuring that all-important element of security.
Sascha Giese is a Tech Evangelist at SolarWinds, based in the company’s Europe, Middle East, and Africa (EMEA) headquarters in Cork, Ireland. He holds various technical certifications, including being a Cisco® Certified Network Associate (CCNA®), Cisco Certified Design Associate (CCDA), Microsoft® Certified Solutions Associate (MCSA), VMware® Technical Sales Professional (VTSP), AWS® Certified Cloud Practitioner, and Network Performance Monitor and Server & Application Monitor SolarWinds Certified Professional® (SCP). Giese has more than 10 years of technical IT experience, four of which have been as a senior pre-sales engineer at SolarWinds. As a senior pre-sales engineer, he was responsible for product training SolarWinds channel partners and customers, regularly participated in the annual SolarWinds Partner Summit EMEA, and contributed in the company’s professional certification program, SolarWinds Certified Professional.