The production of software products using people, processes, and tools has become an essential aspect of almost every industry. To ensure continuous development and delivery, organizations utilize an organizational framework called a “software factory” that employs an assembly-line process prioritizing speed, predictability, and quality to attain optimal results. The software factory plays a critical role in the industrialization of development by preventing vulnerabilities from being introduced and minimizing the likelihood of attacks.
In recent times, ingenious attacks have been observed, such as injecting malware into commonly used libraries like npm, exploiting open-source vulnerabilities like Log4J through automation, taking advantage of weak access controls, and tricking developers through practices like typosquatting to download malicious code.
Software supply chain security is the process of identifying and mitigating risks in the various technologies and processes utilized in software development, including open-source dependencies, build tools, package managers, and testing tools. The goal of both “software supply chain security frameworks” SLSA (Supply Chain Levels for Software Artifacts) and CIS “Software Supply Chain Security” is to increase trust between end-users and producers by incorporating security into the entire software development process, reducing vulnerabilities, protecting the process, and creating inherently secure software.
Both frameworks provide two important aspects
- production phases/ areas and
- production controls.
The phases/ areas commonly ensure
- Source code integrity (S/DAST, SCA, SBOM, Dependency Management, License Identification, Vulnerability Reporting, Code Quality Reporting, Community Health Reporting)
- Build integrity
- Delivery integrity
- Deployment integrity