Security has long been top of mind for Wes Wells and his team.Wells is chief product officer for Instant Connect Software, which makes communications software that enables push-to-talk voice communications that connect mobile, IP, radio, and telephony devices across various private and public networks including LTE, 5G and MANET.The software enables connections for front-line teams. Its clients are primarily military and government agencies around the world. Commercial companies in oil and gas, mining, manufacturing and logistics also use the software to support mission-critical work.Given that customer base, the software \u201cneeds to be secure on all fronts,\u201d Wells says.Instant Connect uses Advanced Encryption Standard (AES) and Transport Layer Security (TLS) as part of its product security strategy, Wells says, \u201cso everything is secure, locked down and fully encrypted.\u201dIt complies with the U.S. government\u2019s computer security standard for cryptographic modules as laid out in the Federal Information Processing Standard Publication (FIPS) 140-2; NIST certification of Instant Connect algorithms confirms that they have met or exceeded the FIPS standards.That\u2019s all required when working with government and military agencies, Wells adds.So, too, is providing them and other clients with a list of any third-party libraries\u2014a software bill of materials (SBOM)\u2014used in Instant Connect software products.An opportunity to do betterDespite the company\u2019s commitment to security and its history of working with the government on providing proof of it, Wells says there was an opportunity to do better on detailing and tracking third-party libraries as well as reviewing them for vulnerabilities.\u201cIn the past we had to manually keep track of the libraries we used, what version we used in each of our releases. That then was what we provided to them on a spreadsheet or in response to an RFP,\u201d Wells says. \u201cNow we have a scan, and it\u2019s giving us a very accurate list of all third-party libraries.\u201dInstant Connect isn\u2019t the only company paying closer attention to third-party libraries, a piece of code created by entities other than the developer building the final software product or platform.There\u2019s a strong case to be made for that extra attention.Third-party libraries and open source software are pervasive. The Linux Foundation, for example, cites estimates calculating that Free and Open Source Software (FOSS) constitutes between 70% and 90% of \u201cany given piece of modern software solutions.\u201d Dale Gardner, a senior director analyst at Gartner, says more than 90% of application code contains open source modules.The practice of using software libraries certainly speeds the pace of software development.But, as security experts note, any vulnerability in that code is also then pervasive, giving hackers a big opportunity as they can seek to exploit the prevalence of the vulnerability to their advantage.Case in point: The Apache Log4j vulnerability, identified in late 2021 and found in vast numbers of enterprises, set off a worldwide scramble of security teams rushing to find it in their own organizations so they could address it.Know your codeThe pervasiveness of such code\u2014and, thus, vulnerabilities\u2014is only part of the issue, however.Many organizations have challenges in tracking which open source code or third-party libraries are being used within the software they\u2019ve deployed. That means they may have vulnerabilities within their systems and not even know it.Consequently, more entities are making SBOMs a prerequisite for doing business.That includes the federal government. The White House in May 2021 issued an Executive Order on Improving the Nation\u2019s Cybersecurity, listing the use of SBOMs as one of its many new requirements meant to enhance security in the software supply chain.Gartner, a tech research and advisory firm, also recommends that organizations take greater steps to understand the code they\u2019re using.\u201cGrowing risks and ubiquitous use of open-source software in development make software composition analysis (SCA) essential to application security,\u201d Gartner researchers state in a 2021 market guide for such tools. \u201cSecurity and risk management leaders must expand the scope of tools to include detection of malicious code, operational and supply chain risks.\u201dGartner researchers estimate that the use of SCA tools will climb significantly, predicting that by 2025 75% of application development teams will implement SCA tools in their workflow, up from the current 40%.Gardner says SCA products in general \u201care highly effective at identifying specific open source packages within code, and from that identifying known vulnerabilities in code, possible licensing issues, and\u2014currently to a lesser extent\u2014supply chain risks.\u201dHe adds: \u201cAll of these can rapidly and materially have a positive impact on the security of software.\u201dImproving the process and the productWells says he understands both the need for as well as the challenges of tracking the code used in software products.\u201cWe found that developers in the past would use a third-party library but not immediately report it up to me so I can get it added to our product documentation,\u201d he says. He says security checks later in the development process would catch such omissions, but the experience nonetheless demonstrated to him the need for a more robust process.To do that, Wells implemented CodeSentry, a binary software composition analysis tool from GrammaTech that scans Instant Connect\u2019s own software and produces a detailed SBOM as well as a list of known vulnerabilities.\u201cBy doing this scan, it gives our customers an accurate list of libraries we\u2019re using,\u201d Wells says. \u201cThe government has requested it for the past 10 years, and I\u2019ve seen on various RFPs that private companies do sometimes require a list of third-party libraries that are used in products. That\u2019s becoming more common, so having this SBOM that\u2019s generated by CodeSentry does add value to our product.\u201dWells says he finds particular value in CodeSentry\u2019s ability to identify whether software developed by Instant Connect has any known vulnerabilities. That feature, he explains, allows his teams to either address the vulnerabilities before its released or alert customers who can determine their best course of action (such as accepting the risk or disabling the feature that contains the vulnerable code).That approach isn\u2019t new to Instant Connect, Wells says. He explains that before CodeSentry was implemented in 2021, Instant Connect had a manual process for doing such work.But Wells acknowledges that the manual process was more time-consuming and more difficult to keep up-to-date than the CodeSentry scan.Furthermore, he says the manual system did not allow for the proactive approach that Instant Connect can now take.Wells says his workers find the CodeSentry technology easy to use.Gardner agrees: \u201cSetting aside the work of integrating the tools and establishing policies around the use of open source, using SCA is relatively easy. A scan is performed, results are returned, and generally a fix\u2014such as using an upgraded and repaired version of a problem package\u2014can be suggested and implemented. In most cases, it\u2019s very straightforward.\u201dWells says his teams did need to tweak workflow processes to get the optimum benefits from it.He says one of the top challenges was \u201cfiguring out when is the right time to do a scan. You don\u2019t want to do it too early in your development process, because you could run into time-consuming work that doesn\u2019t offer any value.\u201dThe company settled on using CodeSentry to scan software \u201conce the developer feels they have completed development of the feature for any particular client. That\u2019s the first step in our QA testing for that client.\u201d Developers then address any vulnerabilities or deficiencies found before running a scan again before the final release.\u201cWe then take that documentation and the SBOM and make them part of our product offering by making them available to clients,\u201d Wells says.