Improve Your Software Supply Chain Security
Increase the security and integrity of your Python, Perl, Ruby and Tcl software supply chain.
Your open source supply chain is bigger than you think. In modern applications, 80% or more of the code typically comes from open source dependencies, but importing, building and consuming open source can expose you to undue risk across your software development lifecycle unless you’ve implemented strict security and integrity controls to reduce your software supply chain risks.
Want to see how the ActiveState Platform can improve your existing security and integrity controls with its Software Composition Analysis (SCA) capabilities?
Open Source Software Security
Secure the open source dependencies from which your software is built, with security practices like:
- A complete Software Bill of Materials (SBOM) that includes transitive, shared and OS dependencies – you can’t secure what you don’t know.
- Vulnerability remediation functionality that allows you to identify and remediate vulnerabilities faster.
As per the recent US Executive Order issued by the White House, these features will be National Institute of Standards and Technology (NIST) requirements for providers selling into government agencies by October 2022.
Supply Chain Integrity
Ensure the provenance (ie., the source) of all open source software with security measures like:
- Attestations, which validate the source of all components used in the building of an artifact, as well as the checksums for all components used and artifacts produced. Additionally, on installation, the process validates the signatures of all components and artifacts to ensure none of them have been tampered with.
- A secure build service that incorporates Secure Levels for Software Artifacts (SLSA) level 3 certification-ready features, including scripted, ephemeral, isolated and hermetic environments in order to ensure all components built from source code are verifiably reproducible (i.e., third-party components can be traced to the open source ecosystem from which it originated)
Provenance helps ensure against the introduction of malware and malicious code during build workflow that can introduce an attack vector or backdoor into your codebase or web application. These kinds of development environment cyberattacks are quickly emerging as key software supply chain attack vectors since downstream customers deploying your patches, updates or upgrades all become vulnerable (such as happened with the SolarWinds Orion hack).
Implement software supply chain security from end to end. The ActiveState Platform is built to handle the unique needs of your organization, making it easy to secure and de-risk your use of Python, Perl, Ruby and Tcl.
Create secure Python, Perl, Ruby and Tcl open source project runtimes for your development, CI/CD pipeline and production environments that contain just the dependencies needed to develop, test, and run your applications. Implement secure software development practices that align with DevSecOps initiatives, including setting permissions for sharing your runtime with internal and third-party stakeholders, while shrinking application attack surfaces to improve cybersecurity.
Our catalog of open source software components is imported from open source community resources like PyPI, CPAN, GitHub and other public repositories. Indemnified components are vetted on import, and new versions regularly refreshed, enabling secure, timely fixes to vulnerabilities while reducing the need for code reviews by security teams.
Every package is automatically built from source (including linked C libraries) from our set of known and tracked dependencies to make sure you’re getting the bits you expect (and not a compromised binary such as log4j). The result is a much more secure software supply chain.
Reduce your security footprint by implementing a single solution (the ActiveState Platform) that provides SaaS analysis tools, APIs and developer tools across the “import, build and consume” process for all languages, starting with Python, Perl, Ruby and Tcl. Unlike the typical DevOps approach of using one package manager per language, the ActiveState Platform provides a single, universal package management solution, dramatically decreasing maintenance and training overhead.
CVE (Common Vulnerabilities and Exposures) Remediation
Find, fix and automatically rebuild vulnerable Python, Perl, Ruby and Tcl environments with secure components from the ActiveState Platform catalog, reducing Mean Time To Resolution (MTTR). Automate remediation.
Get email assessments whenever a Python, Ruby or Perl dependency in your custom distributions is found to have a vulnerability, speeding time to remediation.
97% Of Fortune 1000 Companies Rely On ActiveState To Save Time, Reduce Risk And Get To Market Faster.
Additional features our enterprise customers benefit from:
Managed CVE Scanning
We run security scans on your Python, Perl, Ruby and Tcl language environments, vetting them, notifying you of vulnerabilities, supply chain threats and providing you an email-able report. Best of all, you can then point-and-click to resolve vulnerabilities, and we’ll automatically rebuild your secure custom language distribution, ready to be deployed.
Still running Python 2 or older versions of Perl for your legacy applications? We offer the maintenance and support you need to resolve security issues, meet compliance requirements, and deliver on your customer obligations. Get support for all the core libraries and 3rd-party packages in your application and backported fixes from Python 3.
Managed & Maintained Builds
ActiveState provides timely updates to our ActiveState Python, ActiveState Perl, ActiveState Ruby and ActiveTcl distributions. We can also manage and provide validation for the Perl, Python, Ruby and Tcl runtime environments you create on the ActiveState Platform on your behalf, freeing up your developers to focus on what they do best: coding.
Ready to reduce your open source security risk with the ActiveState Platform?
Please provide your information, and our Sales Team will be in touch shortly. Students and developers can sign up for a free account instead.