By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, attacks that are increasingly complex as modern technology changes.

Snyk Ltd. has partnered with Docker to create an extension that offers more convenient and actionable security, offering clear steps to build more secure container images and improve development productivity.

“One of the things I believe a lot of organizations are focused on is trying to get a hold of understanding a lot of the implicit trust and risk associated with everything that goes into building any sort of modern application,” said Mic McCully (pictured), field strategist at Snyk. “And that’s all the components that are being used — everything from the open source to the containers that are consumed to the process, into all the ecosystem and tooling. That’s consumed a lot of the trust layers in there. It’s extremely important to understand what that is.“

McCully spoke with theCUBE industry analyst John Furrier during last year’s DockerCon event, about supply chain attacks, the biggest supply chain vulnerabilities, what companies are doing to mitigate risks and more. (* Disclosure below.)

Only as strong as the weakest link

Open-source software revolutionized DevOps with its flexibility, speed and cost-effectiveness, but it introduced its own security risks as well. Although security may be stronger with some open-source programs, such as good information security, zero-trust security solutions can make it difficult to effectively implement all open-source solutions.

“What organizations have to do is to not only provide that and help those individuals when they’re making those decisions, but then constantly understand if that posture changes at any given time,” McCully said.

Supply chain attacks are usually carried out by criminals looking for the weakest link in the chain. This leads to its own problem, such as attacks targeting applications while they’re being built.

“If I can go upstream and actually change some of those components and implement my attack inside of the application, it automatically gets embedded instead of trying to attack it directly,” McCully said. “Unfortunately, in a lot of organizations, I think that development area hasn’t had that security focus. And because of that, it’s left a little bit more exposed.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the DockerCon event.

(* Disclosure: TheCUBE is a paid media partner for DockerCon. Neither Docker Inc., the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE