How Capital One Strengthens the Software Supply Chain
As we see an increase in the use of open source software, a well-managed supply chain and Nureen says secure software delivery pipelines are critical to business success D’Souza, head of Capital One Open Source Program Office and speaker at cdCon 2022.
“It’s important to implement a corporate culture with ingrained security that enables developers to focus on innovation and value-added features rather than software maintenance chores,” D’Souza said.
As part of a 10-year technology transformation, Capital One achieved a first open-source statement in 2015. “Today, our modern architecture allows Capital One to take leverage global innovations and accelerate delivery by engaging in collaborative approach to building software,” said D’Souza.
The biggest challenge in software supply chain management is managing a number of connectivity tools, languages, frameworks and methods, according to D’Souza. Amid these complexities, Capital One has integrated standardization, automation and the sustainability of the ecosystem in the charter of the Open Source Program Office.
According to D’Souza, Capital One has established a well-defined process for using, initiating, responsibly maintain and contribute to open source software. These standards provide developers with safeguards and enforce appropriate behaviors.
“Establishing well-managed processes around security, compliance, privacy and transparency are critical to developing open source software,” D’Souza said.
Applications need defenses to protect them from malicious actors and compliance policies to ensure compliance with controls. Organizations can also protect sensitive information by establishing confidentiality standards. To make software behavior observable and verifiable, a process can ensure application health and security through metadata.
D’Souza also highlighted the importance of automation in DevSecOps as a significant benefit of move security to the left in the development process. It emphasizes these important principles:
- Policies: Automate policies early in the development process to make easy-to-use source software;
- Orchestration: maintain infrastructure by creating orchestration for repeatable tasks such as version upgrades, new patches, etc.
- Actionable insights: Create an application inventory or software bill of materials to leave developers know what’s in each release build;
- Code review: design an automated code review process to improve code quality before its release;
- Requirements: automate all functional and non-functional requirements;
“By automating various tasks throughout the software delivery pipeline, you mitigate risk,” said D’Souza.
Open source software creates tremendous value for technology companies because it can share the costs of creating and maintaining the basic infrastructure. Support these reviews assets require a large number of talented contributors forming nurturing communities.
To sustain this ecosystem, D’Souza recommends identifying the open source solutions that your the company depends on and contributes to these projects supported by foundations. “It’s a great way to solve problems collectively,” she said. D’Souza also stressed the importance of contribute upstream to avoid reacting to problems downstream.
Capital One teams have released more than 25 open source projects and completed more than 2,000 contributions to approximately 100 different projects on which the company depends and works collectively to solve problems in the software supply chain.
“All of this work helps improve the developer experience by allowing engineers to focus on what they do best,” D’Souza said.