Key Developer Concepts and Tools in Software Supply Chain Security

Software supply chain security is a threat area that was popularized by SolarWinds and Log4j. For the first time there was widespread awareness of how exploiting popular software artifacts (libraries, frameworks, etc.) can give hackers entry, where they can then pivot to all sorts of mischief.

It's become the next buzzword in cybersecurity and the intersection of DevSecOps. As the latest evolution of the so-called "shift left" security trend, it's really about baking the concept of provenance (who created software, who has touched it, ensuring that it has not been tampered with) into the build process, up through production applications.

Let's take a look at some of the key concepts, open source technologies, and regulatory areas that you should be aware of, and how this is evolving into a toolchain for developers and security teams to bring their collective work close to a secure-by-default posture.

Key Concepts in Software Supply Chain Security

• Software artifacts: The discrete components that make up software systems today; everything from open-source frameworks to databases to any other type of proprietary or 3rd party open source software
• Provenance: The guiding concept of software supply chain security; basically knowing the origin of who created a software artifact, and who else touched it before you installed it
• Software signing: Similar to certs on the Internet; software signatures are the fingerprints that can be used to track the provenance of software artifacts
• CVEs: Aka Common Vulnerabilities and Exposures; a system created by the MITRE corporation that centralizes publicly disclosed software vulnerabilities
• SBOMs: Software bills of materials; aka the concept of a "list of ingredients" inside of software packages
• Build systems: All of the components and subcomponents that comprise software packages and code bases
• Vulnerability management: Describes the end-to-end process of discovering and remediating security vulnerabilities, CVEs, and otherwise.

Related Open Source Technologies in Software Supply Chain Security

• Sigstore: The most popular open-source tooling for signing software artifacts; the "wax seal" standard of authenticity that has been adopted by most programming languages and registries, as well as by ubiquitous infrastructure like Kubernetes.
• Tekton: Cloud-native CI/CD platform that among other capabilities delivers the transparency log that stores signatures created by Sigstore; works behind the scenes (you don't have to know how to use Tekton, to use Sigstore)
• SLSA: A framework for achieving software supply chain security based on specific policies and best practices; the first step is securing your build environment and then it graduates from there
• SSDF: A close cousin to SLSA; the National Institute of Standards and Technology (NIST) set of guidelines and best practices for software supply chain security
• SPDX/CycloneDX: The two leading standards for creating SBOMs

Regulatory Developments To Watch Around Software Supply Chain Security

• White House Executive Order on Improving the Nation's Cybersecurity: Published in 2021, it popularized the concept of SBOMs and cited "malicious cyber campaigns" as a threat to the public and private sectors.
• FedRAMP's Vulnerability Security Requirements for Containers: This set new requirements for "vulnerability scanning for containerized systems" as a baseline for getting FedRAMP clearance (being able to sell software to the federal government).
• Cybersecurity & Infrastructure Agency's (CISA) Secure Software Self Attestation: This is a recent document that proposes all providers of software to the federal government personally attest to the security of not only that software but all third-party components that make up that software. It is considered to be an early signal of sweeping regulatory change that makes software creators liable for their software as well as the open-source artifacts inside their builds.

Commercial Efforts To Harden Developer Workflow

Chainguard Enforce is a significant new commercial attempt to pull these technologies together in a toolchain for developers, as well as security teams creating policies. New features launched today include:

• Automatic SBOM collection
• Automatic SBOM generation
• A console interface for finding, searching, and filtering SBOMs
• Daily vulnerability scans and report generation across cloud-native workloads
• Keyless signatures through a privately managed signing infrastructure for enterprises who do not want sensitive data stored publicly