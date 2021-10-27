Twice a year we create the Thoughtworks Technology Radar, an opinionated look at what’s happening in the enterprise tech world. It’s a detailed collection of tools, techniques, languages and platforms and we generally call out over 100 individual ‘blips.’ Creating the Radar involves over 20 of our senior technologists from around the globe, and as we discuss individual Radar blips we also talk about bigger trends. This article is a consolidation of those “macro trends” that we see in the tech industry today.

Securing the software supply chain

Earlier this year, details emerged around a well-coordinated hack that made headlines for months. Hackers had broken into SolarWinds’ systems and added malicious code to their Orion software. The reason this was such a juicy target? Orion is a network management system that monitors servers and runs with a high level of privilege across all the sensitive parts of a company’s systems. Microsoft, Intel, Cisco as well as governments across the world were compromised in the attack.

What was interesting, though, is that this wasn’t a hack against running instances of Orion, like many remote exploits are. It was a hack against SolarWinds’ build environment and “path to production” and instead injected malicious code into the software directly, which was then digitally signed and distributed to customers. They downloaded and installed a “bug fix” release of Orion which then left them vulnerable to the hackers.

Since then, awareness has been increasing of the importance of securing not just your software but also the “software supply chain” — all of the software and processes that contribute to creating, building, testing, distributing and running that software. We spoke to Mike Ensor and Jim Gumbley on the Thoughtworks Technology podcast and they highlighted that the Biden administration had issued an executive order on cybersecurity, including directives focused on the software supply chain problem. In this edition of the Radar we blipped Software Bill of Materials (SBOM), a technique mentioned in the executive order, which says that all software should come with a machine readable list of component names, version numbers and source vendors. When a vulnerability is discovered, you can scan the SBOMs of all your software, know what’s affected, and take action to patch your systems quickly. We also blipped Cosign, a tool for signing container images to improve security across the software supply chain.

Punctuated equilibrium in the platform space

In this edition of the Radar, we noticed far fewer Platform blips than usual and so we discussed what this might mean. Certainly the platform concept is still critically important, with organizations that can effectively build and leverage platforms able to use them as a leg up over competition, accelerating their ability to get software into production and delivering value to customers. But why aren’t we excited by platform tech at the moment?