Software Attestations

Validate the Security of Your Software Supply Chain

SecureSupply Chain Best Practices

Secure Supply Chain Best Practices

Software attestations are a key way for you as a software producer to establish trust with your customers by validating the security and integrity of your applications.

Using its secure build service, the ActiveState Platform will generate signed attestations for your application’s open source components, and verify their security and integrity upon installation using the attestation’s metadata.

That way, you can comply with new federal requirements and emerging industry best practices, and use security as a key differentiator.

US Government Requires Attestations

Beginning in June 2023, any software that touches US Government data in any way must comply with a number of secure supply chain requirements, including providing a software attestation that includes:

  • The software vendor’s name
  • A description of the product or products the statement refers to
  • A statement attesting that the software vendor follows secure development practices

The attestations generated by the ActiveState Platform conform to these US Government requirements. And since public sector requirements are often quickly adopted by commercial sectors, they will soon be key to acceptance by other industries, as well.

US Gov Attestation Requirements
SBOM Blog Post Image

Secure Software Development

Starting in 2023, U.S. agencies will only be able to use software that meets the National Institute of Standards and Technologies (NIST) guidance for secure software development practices. Developing software securely involves a number of best practices extending from application architecture and design to software threat modeling to secure software build and delivery. Key requirements that software vendors must provide key Supply Chain Levels for Software Artifacts (SLSA) components, including:

The ActiveState Platform delivers all of these components out of the box in a single solution that fits the way you develop your software.

Attestations for Open Source Binaries

The security risk posed by the software supply chain has grown exponentially over the past few years, primarily due to bad actors creating open source software exploits. The problem lies in the fact that open source repositories provide no guarantees as to the security and integrity of the components they offer. To solve this problem, the ActiveState Platform automatically builds all open source binaries from source code and provides an attestation for each.

devops integration

Next Steps

Learn more about how the ActiveState Platform can help you generate attestations to help prove the security of your supply chain.