Secure Your Software Supply Chain



Every business building digital products depends on open source software. Those digital products are a web of dependencies and transitive dependencies constantly changing. Evaluating and understanding that change is a monumental task for any organization regardless of its size, and it is no wonder that bad actors are increasingly targeting the open source software supply chain as an avenue to infiltrate networks.

The rise in software supply chain attacks has made software supply chain security a top priority for security leaders and security-focused developers today. Scanning software builds for known vulnerabilities is an absolute must, but as attacks like SolarWinds have shown, it’s no longer enough to simply validate whether a build has a known vulnerability.

Beyond vulnerability scanning, businesses must also be able to assess the overall security score of any given open source project. The factors involved in this assessment may include evaluating the number of active maintainers of the project to ensure the multiple maintainers are working to keep it healthy. A project should be assessed to ensure it is scanning for and fixing security vulnerabilities, using an automated process. Additional checking may include whether releases are being signed and whether the project adheres to best practices like branch protection, requiring code reviews on all pull requests, and requiring that contributors sign commits.

These best practices are not limited to the libraries that businesses pull in, but also to the internal projects businesses produce.

As development teams create new internal projects, businesses must be able to continuously assess their own source control repositories to ensure each project is configured with security best practices.

With businesses adopting automation as the primary method for building and managing cloud environments, those automation projects are just software builds, and they need the same level of security assessment as any other software build. It is imperative that businesses be able to find and fix security misconfigurations in Infrastructure as Code projects that put the business at risk before they are released.

Related Documentation