Deterministic build and provenance capabilities combined with new book release give security professionals an actionable path to supply chain security
VANCOUVER, BC, June 27, 2023 /PRNewswire/ — In case you missed it, the US Government recently let their own direct consumers of open source off the hook for the first iteration of the Secure Software Development Attestation requirement that is a major part of Executive Order 14028. Announced in May of 2021, Executive Order 14028 called for the provenance of software developed by and sold to the government to be proven and submitted, or to be listed on the producer’s public website.
The Executive Order was announced with the intention of improving the nation’s cybersecurity policies given the astonishing rise in successful cyberattacks, particularly software supply chain attacks, over the last few years. But by exempting directly obtained open source and first party code from the order, the message seemingly being sent by the US government is that the toughest problem they face can wait, despite open source being widely acknowledged as a primary source of cyberthreats.
The open source software revolution transformed the way all organizations develop and deploy software. It enables developers to quickly develop and ship new applications by fast-tracking initial environment setup based on publicly available repositories of frequently used libraries and dependencies. It also created the Software Supply Chain Security (3SC) problem.
The 3SC problem refers to the difficulties that arise when trying to manage the chain of custody across open source software supply chains, especially as open source usage continues to grow and comprise an ever-increasing portion (>80%) of application codebases across industries. With the increasing adoption of open source, lax supply chain security is now an existential threat to development.
“We built ActiveState to tackle the toughest unsolved problem that developers face when trying to securely integrate open source – scaled, repeatable and secure open source dependency management across multiple operating systems and language ecosystems,” said Scott Robertson, CTO of ActiveState. “Our product lets security teams jump from zero visibility to true open source observability while also helping developers escape dependency hell. It’s a win-win for organizations that want to continue pushing the envelope on product innovation while protecting their development team from using vulnerable open source components.”
The 3SC vendor landscape was recently released in IDC’s Market Glance: Software Supply Chain Security, 2Q23 (doc # US50831623, June 2023), in which ActiveState was included in four sub-categories:
- Managed Open Source
- Deterministic/Reproducible Builds
- SCA & SBOM Generation
- Provenance & Signatures
ActiveState has outlined how any organization can achieve these capabilities, and attain SLSA Level 3 compliance in five key stages by writing the book “The Journey to a Secure Software Supply Chain.” Alternatively, organizations can get started right away securing their supply chain by integrating the ActiveState Platform into their software development lifecycle.
Download a free copy of “The Journey to a Secure Software Supply Chain” to get started, or contact us to learn how you can secure your software supply chain in a matter of days.
ActiveState helps developers escape dependency hell and get straight to coding – securely. We’re redefining the way companies ship and manage software built with open source with over 20 years of experience partnering with enterprises developing in Python, Perl, Tcl and Ruby. Learn how to start securely integrating open source dependencies into your build process with a free ActiveState account, or contact us for more information at www.activestate.com.
©2023, ActiveState, Inc. All rights reserved.