DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Because the DevOps movement has redefined engineering responsibilities, SREs now have to become stewards of observability strategy.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Related

  • Securing the Software Supply Chain: Chainguard Builds on Foundational Innovation
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024
  • How To Implement Supply Chain Security in Your Organization
  • Decoding Business Source Licensing: A New Software Licensing Model

Trending

  • Securing the Future: Best Practices for Privacy and Data Governance in LLMOps
  • Useful System Table Queries in Relational Databases
  • System Coexistence: Bridging Legacy and Modern Architecture
  • Simpler Data Transfer Objects With Java Records
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Key Developer Concepts and Tools in Software Supply Chain Security

Key Developer Concepts and Tools in Software Supply Chain Security

By harnessing provenance, developers and security teams can lock down the entire software supply chain and prevent the exploitation of artifacts.

By 
Tom Smith user avatar
Tom Smith
DZone Core CORE ·
Jul. 31, 23 · Analysis
Likes (3)
Comment
Save
Tweet
Share
4.9K Views

Join the DZone community and get the full member experience.

Join For Free

Software supply chain security is a threat area that was popularized by SolarWinds and Log4j. For the first time there was widespread awareness of how exploiting popular software artifacts (libraries, frameworks, etc.) can give hackers entry, where they can then pivot to all sorts of mischief.

It's become the next buzzword in cybersecurity and the intersection of DevSecOps. As the latest evolution of the so-called "shift left" security trend, it's really about baking the concept of provenance (who created software, who has touched it, ensuring that it has not been tampered with) into the build process, up through production applications.

Let's take a look at some of the key concepts, open source technologies, and regulatory areas that you should be aware of, and how this is evolving into a toolchain for developers and security teams to bring their collective work close to a secure-by-default posture.

Key Concepts in Software Supply Chain Security

  • Software artifacts: The discrete components that make up software systems today; everything from open-source frameworks to databases to any other type of proprietary or 3rd party open source software
  • Provenance: The guiding concept of software supply chain security; basically knowing the origin of who created a software artifact, and who else touched it before you installed it
  • Software signing: Similar to certs on the Internet; software signatures are the fingerprints that can be used to track the provenance of software artifacts
  • CVEs: Aka Common Vulnerabilities and Exposures; a system created by the MITRE corporation that centralizes publicly disclosed software vulnerabilities
  • SBOMs: Software bills of materials; aka the concept of a "list of ingredients" inside of software packages
  • Build systems: All of the components and subcomponents that comprise software packages and code bases
  • Vulnerability management: Describes the end-to-end process of discovering and remediating security vulnerabilities, CVEs, and otherwise.

Related Open Source Technologies in Software Supply Chain Security

  • Sigstore: The most popular open-source tooling for signing software artifacts; the "wax seal" standard of authenticity that has been adopted by most programming languages and registries, as well as by ubiquitous infrastructure like Kubernetes.
  • Tekton: Cloud-native CI/CD platform that among other capabilities delivers the transparency log that stores signatures created by Sigstore; works behind the scenes (you don't have to know how to use Tekton, to use Sigstore)
  • SLSA: A framework for achieving software supply chain security based on specific policies and best practices; the first step is securing your build environment and then it graduates from there
  • SSDF: A close cousin to SLSA; the National Institute of Standards and Technology (NIST) set of guidelines and best practices for software supply chain security
  • SPDX/CycloneDX: The two leading standards for creating SBOMs

Regulatory Developments To Watch Around Software Supply Chain Security

  • White House Executive Order on Improving the Nation's Cybersecurity: Published in 2021, it popularized the concept of SBOMs and cited "malicious cyber campaigns" as a threat to the public and private sectors.
  • FedRAMP's Vulnerability Security Requirements for Containers: This set new requirements for "vulnerability scanning for containerized systems" as a baseline for getting FedRAMP clearance (being able to sell software to the federal government).
  • Cybersecurity & Infrastructure Agency's (CISA) Secure Software Self Attestation: This is a recent document that proposes all providers of software to the federal government personally attest to the security of not only that software but all third-party components that make up that software. It is considered to be an early signal of sweeping regulatory change that makes software creators liable for their software as well as the open-source artifacts inside their builds.

Commercial Efforts To Harden Developer Workflow

Chainguard Enforce is a significant new commercial attempt to pull these technologies together in a toolchain for developers, as well as security teams creating policies. New features launched today include:

  • Automatic SBOM collection
  • Automatic SBOM generation
  • A console interface for finding, searching, and filtering SBOMs
  • Daily vulnerability scans and report generation across cloud-native workloads
  • Keyless signatures through a privately managed signing infrastructure for enterprises who do not want sensitive data stored publicly
Open source Software Vulnerability security Supply chain management

Opinions expressed by DZone contributors are their own.

Related

  • Securing the Software Supply Chain: Chainguard Builds on Foundational Innovation
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024
  • How To Implement Supply Chain Security in Your Organization
  • Decoding Business Source Licensing: A New Software Licensing Model

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!