Software Supply Chain Security (S3C) is a major area of concern for all companies that develop software. Managing and understanding the vulnerability of a company’s software supply chain all the way down to knowing the provenance of each software component is a daunting task. To help with this task, I am delighted to announce the new Supply Supply Chain Security Toolkit - a web based, easy to use interactive resource to help security engineers assess and plan the crucial first steps needed to deliver effective software supply chain security. This online assessment toolkit will give companies the insights and advice needed to understand where vulnerabilities may exist within their chains and how to fix them.
Securing software supply chains is a broad topic, covering source code through build pipelines to software provenance and finally deployments. All of these areas possess vulnerability points which can (and frequently are) exploited by malicious actors: Sunburst, Log4Shell and Spring4Shell immediately come to mind but there are plenty of other examples in all popular languages and frameworks. Fortunately there is a lot that can be done to improve your supply chain security hygiene and reduce the risk of using or producing vulnerable software.
The S3C toolkit has drawn heavily on the following list of well regarded whitepapers and guidance on this subject:
- CNCF have produced a comprehensive Software Supply Chain Best Practices whitepaper
- The Linux Foundation have published the first version of SLSA Supply-chain Levels for Software Artifacts - a security framework to help organizations incrementally improve their software security
- US agencies NTIA and NIST frequently publish new and updated guidance on enhancing software supply chain security, for example here and here
- Venafi maintains an open source blueprint for building secure software development pipelines
There is also plenty of terminology, specifications and tooling to research and evaluate. If this all seems overwhelming and, let’s be honest, a little off-putting, you are not alone. We are working with and talking to many clients who feel exactly the same way. They deeply understand the importance and urgency of improving the security of the software they consume and produce, but are finding it a challenge to identify and rank the changes that need to be made whilst also managing and resolving the, often, competing priorities of their development and security communities: velocity and reducing time to deployment vs control, visibility and guardrails.
We recognized that there is a need to pull together all this great material in an accessible and easy to digest format; something that will help guide and inform security focused architects and engineers. So, we’re very happy to introduce our Software Supply Chain Security Toolkit - this online assessment and recommendation toolkit consolidates the guidance and advice from several existing frameworks and whitepapers, including all the ones previously mentioned, augmented with our own real-world experiences to provide clarity, insights and direction in a complex and challenging problem space.
You can view and use the toolkit now by visiting our dedicated online web resource. Feel free to share it within your engineering teams and reach out to us directly if you would like to arrange a dedicated self assessment session of your supply chain.