Using Veracity and Providence to Ensure Software Libraries Do Not Cause More Problems Than What They Are Worth

Sevatec Code on computer screen

For some in the software world, there is this idea that most the software you need has already been written.  As much as that might be true when you consider the more than 200,000 open source software projects that are available for use, along with the multitude of commercial tools and COTS products, it doesn’t mean the software available is actually any good.  There are numerous times with development teams download and use a resource library or component only to find it has a hard coded issue or extensibility problems that result in having to write your own resource from scratch. The issue is knowing when a resource is actually worth using and how well it will work with the infrastructure and technology you use to build your solutions.

There is a way to determine if a library resource is the right choice: you measure each resource available for its commitment to Veracity and Providence within the codebase. This is obviously not a solution anyone can reasonably undertake due to the sheer size of the pool of resources to pull from. So, there has to be automated ways to perform this assessment.  At Sevatec, we make use of services like Nexus from Sonatype and open source tools such as Artifactory and Cloudsmith to support our goal on ensuring resource veracity and providence.  Each of these tools allow the massive list of available resources to be down selected to a set of quality players from which to choose capabilities for your next project.

These tools allow use to define which resource meet our standards.  Veracity is the measure of how well a product is maintained with regard to security updates and remediations, while providence is the rate at which the product is sustained over the long term.  For example, it’s possible a library has a high degree of veracity as the maintainers of the resource are continuously updating the library to ensure it has all up-to-date security controls in place.  But at the same time, this same resource could have very low Providence.  Just because the library is constantly being updated for security flaws, doesn’t mean the primary functionality of the library is being improved.  If the last update to the resource with regard to new functionality was 5 years ago, it’s likely the feature set available and code base are going to be too antiquated to be of any use in a cloud-native modern software development environment.

So truly useful resources are ones that have both veracity and providence. Using the tools above helps to get to a small set of resources that can be managed using dependency service, but that’s not the whole picture, especially within the Federal Government enterprise.  Government security requirements are such that resources having not been verified for their providence and veracity will likely lead to failed deployments and denial of ATO authorizations for mission critical system.  For this reason, Sevatec employs our Governed Managed Resource Repositories to develop a platform from which only approved and verified components can be used with a development effort.  Approved whitelisted resources are inspected and hardened to government policy standards prior to being made available through the repository. Then, using Identity Management services, only resource components authorized to be available to the developer’s assign program can be used in their software engineering work.  This controls the use of resources and proves to security management that the initial components used to instantiate a new development effort are verifiable from the very beginning of the effort.  By using this service and method for protection resources, Sevatec is able to deliver on the promise of Continuous Assurance and Continuous ATO authorizations for our customers.