ActiveState Delivers the First Open Source Software Development Platform to Include Attestations in its Supply Chain Security Lineup
VANCOUVER, British Columbia – November 10, 2022 – Today, ActiveState announced the availability of open source software attestations, making it the first open source software platform to deliver this essential component of software supply chain security. The ability to obtain self-attestation for all third-party software, as well as producing a software bill of materials (SBOM), is part of sweeping guidance from the National Institute of Standards and Technology (NIST) that has been adopted by the White House. According to a recent White House order, all critical software that touches government data or systems in any way must be compliant with these new security standards no later than June 12, 2023. All software must adhere to these strict standards no later than September 14, 2023.
ActiveState builds and fervently maintains a curated catalog of trusted artifacts that meets the requirements for Supply Chain Levels for Software Artifacts (SLSA) level 4, including software bill of materials (SBOM) and attestations, to proactively secure customers’ software supply chains. In addition, ActiveState’s secure build service delivers isolated, ephemeral, hermetic and verifiably reproducible builds from source code, so developers no longer need to install potentially compromised binaries or deal with security issues.
Click to tweet: ActiveState adds open source attestations, alongside its existing software bill of materials (SBOM) capabilities, to enable customers to comply with White House orders regarding software supply chain security. #secureyoursoftwaresupplychain
The White House order applies to more than just government suppliers. Since it includes software that touches government data or systems in any way, it actually affects all upstream and downstream suppliers, as well. That means the order affects the majority of the software development market.
While some very large organizations may have the systems and processes in place to comply with the order, this will be an expensive process for everybody else because most organizations do not meticulously track open source provenance. This puts them at serious risk for missing the White House deadline for compliance. The ActiveState Platform solves this problem automatically by building every artifact from source with a cloud-scale vendoring solution to deliver:
- A clear chain of custody and provenance
- Attestations for all packages
- SBOM that lists all software components
- Automated solving and management of complex open source dependencies
As a result, employing ActiveState as a trusted vendor takes the time, hassle, and risk out of using open source, enabling software vendors to secure their supply chain and comply with even the most stringent security requirements.
Loreli Cadapan, Vice President, Product, ActiveState, said: “We believe the White House order signals a larger trend that will soon become industry standard. That’s why today’s announcement is so important. By delivering attestations for all open source packages, ActiveState enables software vendors to verify that their application has been built in a secure manner using an untampered process for producing trusted artifacts and binaries.“
Try the ActiveState Platform by signing up for a free ActiveState account. To reap the benefits of attestations, SBOM and ActiveState’s secure build service, contact us to learn about our Enterprise Tier subscription.
For More Information:
Visit the Attestations web page
Register for the webinar on New and Emerging Requirements for Software Vendors
Read the blog on Secure Software Supply Chain Best Practices
ActiveState has a 20+ year history of providing secure, scalable open source language solutions to more than 2 million developers and 97% of Fortune 1,000 enterprises. Enterprises choose ActiveState to support mission-critical systems and speed up software development while enhancing the security and integrity of their open source supply chain. Visit www.activestate.com for more information.