Go from Complete Anarchy to Anti Entropy
Software supply chain security, operationalized in 5 stages
Software vendors have long been focused on dealing with the problem of software vulnerabilities, but software supply chain vulnerability is actually much broader, encompassing all of the code that vendors import, build and ship. In other words, the software supply chain extends across the entire software development lifecycle (SDLC), including all of the processes and systems that interact with it. Therein lies the problem: the need for software vendors to secure everything, whereas bad actors need only a single weak link to exploit.
Fear not, we have the roadmap to guide you through the journey of securing your software supply chain.
Get the eBook
Journey to Supply Chain Security
June 11, 2023: Executive Order Mandate 14028 goes into effect, complete with legal repercussions for those who don’t comply.
In response to the growing threat of software supply chain attacks, as well as the reluctance of software vendors to embrace a security-first mindset, the US government has taken the exceptional step of imposing supply chain security requirements. Effective from June 2023, any vendor of software deployed at (or even coming in contact with systems at) US government agencies or departments must comply or risk losing their contract. While the guidelines are extensive, key requirements for software vendors include:
- SBOMs – vendors must provide a machine-readable list of all the components that make up their software application, including third party libraries and integrations.
- Secure Software Development – vendors must adopt secure software development best practices, starting with detecting and resolving security vulnerabilities
In much the same way that European Union (EU) General Data Protection Regulation (GDPR) requirements were adopted worldwide
for fear of losing out on EU revenue, the US’ secure supply chain requirements are likely to become just as widespread.
With that in mind, this chapter focuses on Stage 1 (Observable Chaos) of the Secure Supply Chain Journey, which can help organizations get started on the path to securing their software supply chain and complying with US requirements.
Start now to get compliant with EOM 14028 and the SLSA 1.0 framework
Attestations
Signed attestations provide a critical piece of the EOM and SLSA security framework puzzle.
SBOMs (Software Bill of Materials)
Provide auditable trails on who did what, when.
Provenance
Enable machine-readable audit trails for your builds.
Additional Resources
Business Leader’s Guide To Establishing Software Supply Chain Trust
Business leaders concerned with the security of the software they produce and purchase need to be aware of emerging software supply chain attack vectors. This white paper provides leaders with the knowledge they need to manage software supply chain risks, whether they’re buying software or creating it.
Understanding Secure Software Supply Chain Legislations Around The World
Learn about government-enacted secure software supply chain legislation that is imposing requirements on software vendors and how to comply.
Introducing SLSA 1.0: Securing The Code You Import & Build
Supply chain Levels for Software Artifacts (SLSA) is an emerging Secure Software Development Framework (SSDF). Learn why you should care, how to comply and try a SLSA level 3 build.
Let’s discuss your Software Supply Chain Security
Talk to our Security experts about how to get compliant with EOM 14028 and SLSA 1.0