Software Supply Chain Security Deep-Dive (Part 1)
The fastest growing category of App & Cloud Security. This deep dive piece explains the buzz around the sector and sheds a spotlight on some new vendors
In my last post, we talked about the cloud and application security ecosystem. I shared the six major market categories within this rapidly evolving cloud ecosystem. Today, I’d like to focus on the newest and fastest-growing category among those six areas. In less than 4-years, Software Supply Chain Security (SSCS) security has quickly emerged as the buzziest sector within AppSec. The hype was at its peak last year but has gradually faded down recently. Hence, this is a good time to focus on this topic.
I’ve done extensive research into this market. Last year, I co-wrote a deep-dive into the software supply chain in collaboration with Clint Gibler at the tldrsec. We wrote an SSCS part 1 and SSCS part 2 series, but I never got to share this knowledge with my readers.
Today, I’ll focus on SSCS, the latest developments since that last report, and, more importantly, discuss some of the less-hyped frameworks and underlooked vendors within this market over a two-part series.
I wrote this report in collaboration with my co-author Nipun Gupta, who is currently Head of Product at AI security company Mindgard and was formerly COO at the AppSec company Bearer. He is the author of the Future of Cyber blog and has worked as a security practitioner and builder for over 15 years. Follow him on X @nipungupta or LinkedIn at Nipun Gupta.
Today’s Actionable Takeaway
Although the hype may have faded down externally, SSCS continues to be one of the most important and pressing topics amongst software development and AppSec teams. My goal is to help readers understand this category and show why this is going to be a critical industry to watch in cybersecurity.
The challenge is that software threats are increasing rapidly. Today, almost, 99% of modern codebases globally contain open-source code and more than 85% of enterprises leverage some form of open-source software. Over 27M developers have leveraged over 37M open-source components and packages. Attacks on the software supply chain can be disastrous, and this is why gov’t around the world have stepped in aggressively with many regulations to enforce supply chain policies. The number of regulations for a new sector like SSCS is like never before.
The biggest problem for software teams continues to be gaining full visibility into all the software assets they incorporate from open-source tools throughout the entire software development lifecycle. Many teams are struggling to keep up pace with how quickly the sector is moving.
Many and, I mean lots of startups have emerged over the last few months to solve this problem. Our research revealed that over 60+ (sixty!) companies have appeared in the software supply chain ecosystem within the last 3 years. Personally, I’ve engaged with over 20+ companies over the last 6-7 months. Out of those 20+ companies, there are a few popular and prominent vendors known to everyone (like Chainguard, Legit, Cycode, Apiiro, GitGuardian, ArmorCode etc). However, there are young emerging companies that don’t get the same attention, but they are approaching the SSCS problem from a unique angle. This piece will be focused on highlighting some of their capabilities. Some of those vendors include companies like Kusari and Scribe Security, among a few minor ones.
This SSCS will be divided into two parts. Part 1 will focus on an introduction to SSCS, its components and important developments. Then we’ll focus on a niche number of early and emerging vendors and their critical solutions. These companies are overlooked but have something interesting they are building. Part 2 will focus on another set of SSCS vendors but with a slighter focus on larger companies within the SSCS category that are differentiating themselves uniquely in the market.
Software Supply Chain Market Ecosystem, 2024
This is a full vendor landscape of the software supply chain security landscape with the majority of vendors that I have spoken to. However, my goal is to focus on only a tiny number of vendors that are unique in their approach to software supply chain.
Basics of Software Supply Chain (SSC)
Let’s set the context and clarify what constitutes software supply chain security and what it isn't. When we refer to SSCS in this piece, we’re not referring to third-party or vendor risk management, hardware-related firmware, or physical supply chain.
SSC is a sub-category of the larger application and cloud security. When we discuss SSC, we’re referring to all the technologies, processes, steps, and components needed to create an application. SSC involves three major components, similar to how one assembles ingredients for a burrito wrap or raw materials for a manufacturing plant.
Components of the software supply chain
Source code (First-party code) constitutes the code used to create applications and all their dependencies. Supply chain security in this area has to do with securing the full assembly of source code, publicly hosted code repositories, open-source dependencies, source code management systems (SCM) and more. Robust solutions here address vulnerabilities in proprietary or open source code, such as insecure coding practices, unpatched vulnerabilities, or malicious code injection.
Build systems are components used to compile and transform source code into deployable forms, typically binaries or executable files. Security solutions here secure build and packaging scripts, containers, the Continuous Integration (CI)/Continuous Development (CD) pipeline, and policies for system access, testing, code review, monitoring, feedback, and approval.
Deploy and run systems are components for bundling libraries and dependencies into a deployable format to run software on target systems. We discuss Software Bill of Materials (SBOM), code provenance and signatures, and artifact repositories.
Similar to how a car manufacturer outsources parts to suppliers or offshore teams to accelerate production, so do software development also involves using external tools from suppliers, which are open-source packages and libraries, to accelerate their software delivery cadence.
Defining Software supply chain attacks
According to the NIST guide, an SSC attack occurs when a malicious party tampers with steps, artifacts, or actors within the chain to compromise the consumers of a software artifact down the line. In an SSC attack, an attacker needs to subvert, remove, or introduce a step within the SSC process to modify the resulting software product. The chart below shows the various areas where an attacker could launch an attack against the supply chain.
Cyber attackers have realized how difficult it is to directly attack a company’s production systems or create complicated attacks to harm a company. However, they know if they easily create a bug into an open-source library or components that are heavily utilized by companies around the world, they can easily infiltrate harm against a large number of targets.
Any compromise in the software supply chain can have far-reaching impacts on impacted organizations. Another issue that most software development teams optimize for better development processes within the organization which results in ignoring external attack vectors, such as:
Malicious developer or account compromise (first party code)
CI/CD system compromise (first-party code and third-party software)
Malicious package or dependency (third-party code)
Hence, software supply chain solutions have been built to protect core areas across the source, build and package areas.
SSCS Trends & Developments In 2024
Now that we have a foundational understanding of software supply chain security, it’s important to look into some recent stats between the end of 2023 and early 2024 about the industry's current trends in recent months since my last report.
Software supply chain attacks continue to grow: Over, 91% of organizations experienced a software supply chain attack over the last year. Over 40% of security incidents involved zero-day exploits on vulnerabilities within third-party code and vulnerability exploits in open-source software and container images. Over 35% of issues around secrets/tokens/passwords stolen from source code repositories and API data breaches in third-party software and code. Gartner continues to predict that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021.
Open Source Consumption and Supply Dynamics In 2023: An interesting dynamic happening is that the number of open-source projects continues to outpace the growth of which developers are consuming these OS projects. In 2023, the open-source software sector witnessed a notable resurgence in the supply of new projects (specifically, Java, JavaScript, Python, and .NET) with an average growth rate of 29%. Contrastingly, the rate of open-source software consumption saw a notable deceleration levelling off, down to 33%. This deceleration signifies a shift or a potential saturation in the market's demand for open-source projects. It also likely due to the awareness of risks, possibly due to challenges in discoverability, project maturity, or the overwhelming nature of too many options.
The Risks of Open-Source Tools Continue: Despite heightened awareness and efforts towards adopting secure coding practices within the open-source software (OSS) community, security risks remain a significant challenge. In 2023, a striking example of these ongoing concerns was that 1 in 8 open-source downloads had known risks, and approximately 245,000 malicious packages (2x previous years) were detected. Many of these malicious packages often mimic legitimate ones or exploit software dependencies, making them hard to detect with traditional security measures. Developers face challenges in managing dependencies, including overwhelming choices and the need for automation to identify and update vulnerable components. In general, these underscore the evolving and expanding landscape of security threats within OSS ecosystems. It also helps explain the rising number of vendors appearing to solve the problem.
Growing Regulatory Focus: There is an increasing emphasis on software supply chain regulations globally. These regulations aim to enforce better security practices but also add to the complexity of compliance for developers and organizations. Below we outline some of the most important compliance and regulatory frameworks that have emerged around software supply chain in recent months.
SSCS Regulatory Frameworks & Best Practices
As mentioned earlier, no cybersecurity sector has seen as many governance regulations rolled out quickly as the software supply chain security category. Increased concern about supply chain security has led to the creation of new industry and government regulations specific to supply chain security.
Here are some of the most common compliance requirements and assessment frameworks requiring SSCS:
United States Executive Order 14028 on Improving the Nation's Cybersecurity: This U.S. executive order, issued in 2021, requires federal agencies and their software providers to enhance software supply chain security practices.
The European Union's Network and Information Security 2 Directive (NIS2 Directive) includes provisions about software components and third-party dependencies within their supply chains.
NIST SP 800-218: Secure Software Development Framework (SSDF): This NIST publication provides guidance for integrating security practices into the software development life cycle, including supply chain risk management.
ISO/IEC 27036: Information technology – Security techniques – Information security for supplier relationships: This standard provides guidelines for managing information security risks related to suppliers and the supply chain
PCI DSS (Payment Card Industry Data Security Standard): PCI DSS requires organizations handling payment card data to implement secure software development practices, including supply chain risk management.
Quality System Regulation (21 CFR Part 820): This regulation requires medical device manufacturers to establish and maintain procedures for validating the device design, including software and software components from the supply chain. Additionally, the FDA has collaborated with other organizations, such as the National Cybersecurity Center of Excellence (NCCoE), to develop guidance and best practices for securing the software supply chain for the healthcare sector. HIPAA has the security rule around supply chain
GDPR (General Data Protection Regulation): While not explicitly mentioning software supply chain security, GDPR requires appropriate technical and organizational measures to ensure data protection, which can include supply chain security controls.
Cyber Resilience Act (CRA) Frameworks: The European Cyber Resilience Act (CRA) is a regulation proposed by the European Commission to tackle low cybersecurity levels and help consumers identify and choose secure digital products. The CRA requires vulnerability handling, security updates, software bill of materials (SBOMs), and reporting actively exploited vulnerabilities within 24 hours of awareness.
Besides these, provisions in FedRAMP and SOC 2 emphasize the need for organizations to address cybersecurity risks holistically, including those that may arise from software components, third-party dependencies, and vulnerabilities within their software supply chains. In summary, the list of regulations is endless for a sector that only recently emerged.
SSCS Solution & Approaches
Software Composition Analysis (SCA)
Historically, SCA was the primary tool for tackling software supply chain risks. These solutions were exclusively used to check for licenses and software components in open-source solutions. They scan code for open-source components and libraries to identify known vulnerabilities and provide remediation guidance. However, parts of the SCA ecosystem have expanded to include other adjacent areas like the following discussed:
Runtime SCA, commonly referred to as dynamic SCA: This uses techniques such as code instrumentation, eBPF, or other methods to observe the application's behavior during runtime. While this approach produces accurate results for executed calls, it carries the risk of false negatives unless every single execution path is tested. Inherently, runtime SCA uncovers risks only after the code has been executed, which often occurs months after the development phase. This delayed risk identification can render the findings ineffective, as addressing the issues at a later stage becomes more difficult and costly.
Reachability analysis, which helps determine which parts of a program's code can be executed during its execution. It involves constructing a control flow graph (CFG) of the program, identifying entry points, traversing the CFG, and analyzing branching conditions to identify reachable and unreachable code sections. This analysis helps identify dead code for optimization, and more importantly, it aids in vulnerability detection by pinpointing code sections that can be reached and potentially exploited. Reachability analysis is often combined with other techniques like data flow analysis, taint analysis, or symbolic execution to provide a comprehensive understanding of the program's behavior and potential vulnerabilities in the context of SCA.
Foundational Components For Securing The Software Supply Chain
Software Bill of Materials (SBOM): They provide a formal, machine-readable inventory of software components, dependencies, and metadata. They enhance transparency and enable better risk management across the supply chain.
Code Signing and Provenance: These are digitally signing software artifacts and validating their provenance through techniques like SLSA (Supply-chain Levels for Software Artifacts) to ensure integrity and authenticity.
Dependency Management: Automating the tracking, updating, and management of software dependencies to minimize risks from outdated or vulnerable components.
Malware detection and response: Developing incident response plans and conducting regular training to effectively detect, respond to and mitigate supply chain attacks.
There are many other solutions not discussed, but at a high level, these are some of the most foundational parts of security in the software supply chain. No single solution can address all potential risks, so adopting a multi-layered approach that combines these techniques is crucial for robust software supply chain security.
Common SSCS Tools and Frameworks
Let’s discuss some of the most common tools and frameworks used within the industry. While the approaches above require commercial tooling, you may still need to understand how to build and track your progress on software supply chain security risk management and maturity. It is important to highlight the role of OpenSSF i.e. Open Source Security Foundation as they are a key contributor in most if not all of these projects and their role is key to securing open source software at scale. These tools and frameworks take established software security practices and structure them in a format that helps you to identify security threats you need to address and what actions to take to mitigate threats:
Supply-chain Levels for Software Artifacts (SLSA) is the most popular and useful framework for tracking the maturity and success of your supply chain security program. It contains a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package. There are three levels, and you can find more information here - https://slsa.dev/spec/v1.0/levels.
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation. You can find the latest on SSDF here - https://csrc.nist.gov/projects/ssdf.
Sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software. Supported by over 20 organizations and 1200 members, sigstore brings constant identity checks and safety protocols for keys and secrets to the open source dependencies. You can access sigstore here - https://www.sigstore.dev.
GUAC, Graph for Understanding Artifact Composition is an open source tool that helps organizations understand their software supply chains. It is notable that while GUAC isn’t yet recognized in the top 100 projects selected by the maintainers of Open-Source Security Index, it has swiftly gained the mindshare of practitioners and widespread recognition in academia and industry alike. An OpenSSF (Linux Foundation) Incubating Project, GUAC was created in 2022 by Kusari, Google, Purdue University and Citi. While numerous tools exist to aid your software supply chain journey, like Software Bill of Materials i.e. SBOMs, signed attestations, and others share a common challenge: lack of holistic context. This leaves you questioning how to correlate security among all the software components and where the dependencies reside in the development environment. This is where GUAC comes into play.
GUAC works by ingesting various software composition metadata from sources such as builds and repositories, encompassing SBOMs in both SPDX and CycloneDX formats, SLSA (Supply-chain Levels for Software Artifacts) and in-toto attestations, OSV (Open Source Vulnerability database) information, and more, into a centralized database. It constructs a graph database representing all the components and their relationships. This database can be queried via GraphQL or REST. Obtaining answers to questions like "Where is log4j being used and what projects need to be updated to address a vulnerability?", and “How do I create a patching strategy for cURL zero day?” helps provide a unified view of your software supply chain.
This is complementary to initiatives like SLSA especially useful for achieving SLSA Level 3. Beyond the obvious benefits of visualization, GUAC offers a centralized repository for managing software metadata, encompassing SBOMs and SLSA attestations. By adopting GUAC, organizations can fortify their software supply chain management, verify builds to avoid potential compromises, and conduct queries to identify affected artifacts.
Software Supply Chain Vendors:
There are three different categories of vendors in this sector.
The first category are the much-established leaders like Veracode, Checkmarx, and Snyposys. I have discussed them briefly in the past and won’t be covering them much.
The second category includes new companies that have become fairly well-known, well-funded (over Series A) and well discussed in the developer community. In my previous SSCS report, I went into depth covering vendors GitLab, GitHub, Jit-io, Legit Security, Arnica, Semgrep and Endor Labs.
The third category of companies I would focus on today is slightly leaning toward earlier seed-stage companies. Amongst these, there are two major categories of companies. Some are building around an open-source framework, and for some vendors, I want to cover a specific capability offered by them.
Disclaimers and general observations about the vendors covered. Obviously, some of these vendors offer many more capabilities and solutions, which we offer our readers to read on their websites. Some of the vendors got to present to the author and some were paid partnerships. However, not all were selected and the few chosen are the ones the ones the author believes have something unique about their capabilities by different vendors.
The goal is to provide readers with a learning mechanism and use each vendor to illustrate a few core concepts. The concepts below shed light on vendors in malicious dependencies, real-time malware detection, vendors leveraging Open-Source GUAC Framework In SSCS Artifact data collection, and vendors in orchestration/pipeline posture management.
SSCS Concept: Malware + Malicious Dependencies
Socket
Socket has gained notable traction within this market for their capability around real-time detection of vulnerabilities in real-time detections. Socket approaches the supply chain problem by providing a platform that detects vulnerable packages in real time. It enables developers to understand the nature of the dependencies they are using through Socket dependency search, dependency risk assessment, and content-based analysis for detecting capabilities. Through its native integration with GitHub, Socket can provide developers feedback directly on PR comments about a dependency’s behavior and security risk. These dependency overview comments provide a quick summary of which dependencies were added or updated, what “capabilities” or API usage a dependency has (e.g. accesses the file system, makes network requests, runs shell commands, etc.), and the number of new transitive dependencies. This helps engineering teams understand and make informed decisions about the impact of code changes in their applications.
Xygeni
I recently encountered Xygeni, another vendor that is not prominent. They deliver comprehensive security solutions that safeguard the software supply chain from start to finish, ensuring the integrity of the software ecosystem throughout the Software Development Life Cycle (SDLC). By addressing vulnerabilities such as misconfigurations, malicious components, and insecure integrations, Xygeni reinforces the security of software assets, pipelines, and infrastructure.
Architecture and Integration
Xygeni's architecture is designed for seamless integration within diverse IT environments, including both on-premises systems and public cloud infrastructures. This flexibility enables continuous security monitoring and ensures that Xygeni's protective measures are universally applicable, regardless of the deployment scenario. The platform's REST API facilitates straightforward integration with a wide range of existing tools, services, and platforms, allowing for enhanced security operations without disrupting current workflows.
Scanners: Xygeni's scanners are engineered to detect vulnerabilities with unparalleled accuracy. These tools scrutinize code, dependencies, and infrastructure configurations, identifying risks and ensuring compliance with established security best practices. Xygeni's scanners are particularly effective in identifying complex vulnerabilities, such as those associated with Poisoned Pipeline Execution, thereby significantly reducing the risk of security breaches.
Sensors: Positioned within the network and cloud environments, Xygeni's sensors offer real-time monitoring of the software supply chain. These sensors are instrumental in detecting unauthorized changes and potential vulnerabilities, serving as an early warning system against possible exploits. They are tailored to recognize anomalous behaviors, providing an additional layer of security by identifying and mitigating threats as they arise.
Solutions
SDLC Inventory - Visibility & Control
Central to Xygeni's offerings is its comprehensive visibility across an organization’s software technology stack. The solution automatically maps out and tracks all assets within the SDLC, highlighting their interrelations and monitoring for threats. This capability is crucial for detecting vulnerabilities within package managers, registries, cloud-based Infrastructure as Code (IaC) resources, and across various software assets. By ensuring full transparency, especially regarding newly implemented pipelines and tools, Xygeni enables organizations to maintain a robust security posture throughout the development lifecycle.
Vulnerability Detection
Anomalous Activity: Xygeni excels in the real-time detection of events or sequences of events that might indicate a security threat. By monitoring for unusual activities—such as misconfigurations, pipeline vulnerabilities, or unauthorized access attempts—Xygeni helps preempt attacks. This proactive approach includes the detection of poor practices, incomplete code signatures, risky behavior, and hidden CVEs, providing comprehensive protection against a wide array of security risks.
Malware Detection: Beyond traditional malware detection methods, Xygeni employs advanced analysis techniques to identify malicious behavior within code. This capability allows for the immediate detection of malware, including zero-day threats, within both proprietary code and open-source components. By focusing on behavioral analysis rather than signature matching, Xygeni offers superior protection against emerging and sophisticated cyber threats.
Orchestration Approach
Aiming to act as an SDLC security orchestrator, Xygeni integrates and manages a vast array of security solutions, streamlining security operations and enhancing overall protection. This orchestration capability simplifies the management of security tools and processes, ensuring a cohesive and effective defense strategy across the entire software supply chain.
Differentiators
Comprehensive SDLC Visibility and Control: Xygeni's expansive visibility across the SDLC distinguishes it from competitors, ensuring integrated security throughout the development process.
Real-time Automated Anomaly and Malware Detection: Its focus on real-time, automated detection of anomalies and malware, especially in open-source components, addresses critical security challenges, making it a valuable asset in software security compared to many of its competitors
To learn more about their products, please visit the Xygeni website.
SSCS Concept: Leveraging Open-Source GUAC Framework In SSCS Artifact Data Collection
Kusari
Kusari focuses on securing the software development lifecycle (SDLC) by providing data-driven transparency, control, and security across the entire enterprise software supply chain. Along with Google, Purdue University and Citi, Kusari‘s founding team started the open-source project GUAC. With the rising volumes and complexity of software, relying solely on knowledge of your software dependencies and their versions is insufficient information to manage software supply chain risk at scale. GUAC ingests software security metadata, like SBOMs and signed attestations, and decomposes and maps out the relationship between software so that users can fully understand their software security posture. This enables users to query SDLC’s security posture and make policy decisions around managing risks. Kusari‘s platform will enable developers and security teams to be proactive about securing their dependencies and use contextual insight and direction when an incident does occur, all built on top of GUAC.
Core Capabilities:
The platform Kusari is building on GUAC’s REST and GraphQL API interfaces and creates an opinionated view and dashboards on top of the underlying data using their own data model to make it more accessible and actionable for security teams and developers alike. In summary, GUAC aims to be an open-source supply chain metadata knowledge base, while Kusari adds several capabilities that include a more approachable and polished UX, plus intelligence layered on top that provides:
Software Supply Chain Mapping: Kusari offers the ability to map an organization's entire software supply chain, including all dependencies, third-party components, and open-source libraries used in the software development process. This visibility helps organizations identify potential security risks and vulnerabilities within their software supply chain, such as tracking binaries to secure artifact repositories.
SBOM Management: Kusari provides a centralized platform for managing SBOMs, which are detailed lists of all components, libraries, and dependencies used in a software application. This enables organizations to track and monitor the security posture of their software supply chain more effectively, such as conducting SBOM diffs and detecting missing SBOM or SLSA attestations.
Threat Detection and Response: Kusari integrates with threat intelligence and vulnerability databases to continuously monitor the software supply chain for any new vulnerabilities, licensing issues, security updates, or changes in dependencies. It performs real-time and post-compromise risk assessments along with auditability, such as indicate the blast radius of a bad package or vulnerability, provide information and patch plan towards remediation, and track a suspicious event back to when it was introduced.
Differentiators and Unique Value Propositions
With various solutions, such as Software Composition Analysis (SCA) and Application Security Posture Management (ASPM) primarily driving security budgets in software supply chain security space, what sets Kusari apart is its combination of features and capabilities that cater to comprehensive software supply chain security by bridging that data to prioritization to action gap for the relevant stakeholder, be it the security team or the DevOps team, specifically around:
Data-driven Software Supply Chain visibility: enabling end-to-end visibility into an organization's software supply chain, enabling a holistic approach to security traceability, compliance at scale, and risk management.
Supply Chain Detection and Response: ability to continuously monitor and track the software supply chain for risks, updates, and changes by leverages GUAC’s ability to trace risks back to their source aligns enables proactive risk management and post-compromise incident response.
Automated Policy Enforcement and Governance: allowing organizations to define and enforce security policies and governance rules across their software supply chain. It can automatically detect policy violations and gaps, such as the use of unauthorized or vulnerable components, and take appropriate actions, such as blocking or quarantining the affected software.
Overall, Kusari seeks to enable enterprises to obtain visibility into issues and vulnerabilities earlier in the build cycle and in production, while providing accurate traceability of issues and dependencies to help prioritize remediation.
It seems intuitive that AI can enhance what is possible with GUAC, and companies like Microsoft are already running experiments with the GUAC-AI-MOLE project leveraging LLMs. Beyond basic vulnerability data, there is a lot of value in adding dependency licensing data to understand liability and identify policy gaps. There are possibilities in enabling better auditing and incident management for the supply chain, and finally proactively uncovering insights for SDLC improvement beyond security.
All these initiatives are actively being tracked with one goal in mind - to become the ultimate source of truth and security for software supply chains. To learn how you can secure your software supply chains using approaches like GUAC at scale, please download their e-book and visit Kusari.dev for more information.
SSCS Concept: Orchestration & Pipeline Posture Management
Scribe Security
Scribe Security is a platform that aims to address holistically the security of your software supply chain whether you are a producer of software, a consumer, or both. This includes all aspects of the software bill of materials (SBOM), securing the dev process against attacks, maintaining control of the dev process’s security, facilitating transparency between software producer and consumer, and attesting to the security of product releases for auditing.
To this end, Scribe Security acts as an orchestrator and integrates a technology stack of Software Composition Analysis (SCA), Dev platform telemetry, artifact signing, policy as code, K8s admission control, and Business Intelligence into one.
Scribe Security’s value proposition
The AppSec and DevSecOps solution market comprises various Application Security Testing (AST) scanners; for example, SCA, SAST, DAST, IAST, and secrets. In addition, relatively new solutions attempt to manage the Application Security Posture, aka ASPM which orchestrate these scanners and aggregate their results in a single place.
Scribe Security contends that while these capabilities are necessary, the supply chain's deeper, more comprehensive security requires a method to continuously attest to every software release’s security and integrity by gathering and signing evidence from every build. This evidence spans the code, artifacts, and dev infrastructure posture. A high degree of integrity is assured by having the evidence cryptographically signed and verified.
To put such evidence to use it is necessary to provide a knowledge layer that connects the data points and a flexible, product composition-aware policy tool.
Beneath the engine bonnet, Scribe utilizes the most up-to-date software supply chain security concepts and specs that render the solution also formalistically sound. To name a few, SLSA, Sigstore, In-toto, and SBOM.
The result is a platform that secures the software development lifecycle by preventing attacks and by setting guardrails to it, protects the product.
Finally, Scribe Security adds strong reporting and analytics that help measure the adoption of the application security controls.
Architecture Overview
Scribe Security’s solution comprises four steps:
Identify all SDLC assets: They scan the organization's source code managers, build systems, container registries, and production clusters, and link the discovered entities into code to production chains.
Evidence: They gather all security evidence of the artifacts as it is built, sign this into attestations, and place it in a secured store. This evidence consists of software bills of materials reflecting the change from one link to another in the supply chain, the output of AST scanners, security configuration of the dev tools, user identities and actions, and context that connects the different pieces from developer to deployment. This result is a tamper-proof audit trail and a verifiable software integrity record. This aspect establishes trust and transparency, ensuring that every link in the software supply chain can be verified for authenticity and compliance.
Knowledge: They transform the collected evidence enriched by intelligence about software vulnerabilities and open source projects, into a knowledge layer accessible through a business intelligence (BI) interface. The process aggregates and analyzes the vast amounts of evidence, organizing it into a coherent inventory of the software portfolio. This facilitates risk analysis, insights, and decision-making.
Action: They gate the software development and deployment process at the end of the build, at deployment or out-of-band with flexible policies (managed as-code), and be aware of the product composition. The policy evaluation attests to the product’s security and can be useful for transparency with stakeholders and auditors. Finally, you can apply out-of-the-box blueprints for compliance with different frameworks such as SLSA and SSDF.
Core Capabilities:
Sophisticated SDLC agent: this tool natively plugs into multiple types of dev platforms to generate a wide range of evidence types such as source code and container image SBOMs, AST scanners, dev platform configurations, and file and artifact hashes.
Anti-Tampering Code and Artifact Signing and Verification: The evidence is signed by one of a variety of methods such as PKI or Sigstore. Signed evidence and detailed SBOMs help maintain integrity and detect unaccounted-for deviations in build artifacts and configuration. This capability fits well with defense and banking sectors concerned with sophisticated attacks like those observed in the SolarWinds incident. Through continuous integrity checks, Scribe ensures the authenticity and security of code throughout its lifecycle.
Intelligence enrichment: intelligence from multiple sources about vulnerabilities, exploitability, open source projects' reputation, and available fixes, is gathered continuously and used for risk scoring and triaging the findings.
Strong Reporting: provide continuous compliance reports for standards such as SLSA and SSDF, enabling organizations to meet regulatory requirements effortlessly throughout their CI/CD pipelines.
Policy as Code: by employing a policy-as-code approach, Scribe allows for flexible and robust governance across the software development lifecycle, enabling automatic enforcement of security policies through the same sensors or collectors that gather data.
Core Concept: Integrating ASOC & Risk Management, Supply Chain Security
ArmorCode
ArmorCode is a comprehensive AppSecOps platform that helps organizations secure their software supply chain and manage vulnerabilities across applications, infrastructure, and the cloud. Unlike most companies in this space, Armorcode does not build their own scanning tools, and has contributed to community-driven problem solving by supporting enterprise applicatoin security teams with Purple Book Community and Scalable Software Security Maturity Model (S3M2) framework.
ArmorCode provides a unified view as it ingests and normalizes findings from several security scanners and tools across the software development lifecycle (SDLC), infrastructure, and cloud environments. This gives a consolidated view of an organization's security posture, including vulnerabilities in proprietary code, open source components, and third-party software dependencies. It integrates with software composition analysis (SCA) tools to automatically generate and monitor SBOMs, enabling organizations to manage risks stemming from open source and third-party components. ArmorCode also provides visibility into the security posture of the CI/CD environment and automates security checks and guardrails throughout the software delivery process. Focusing on enterprise risk management and governance across the software supply chain, ArmorCode correlates security findings with business context and threat intelligence to accurately prioritize risks across the organization. It groups similar findings and applies adaptive risk scoring, enabling teams to focus on the most critical vulnerabilities impacting their software supply chain. Lastly, ArmorCode automates remediation workflows, establishes cross-team service level agreements (SLAs), and tracks SLA compliance, accelerating the vulnerability remediation process
Key Vendors Worth Watching
Jit.io: Jit.io is an open product security orchestration platform that allows for the integration of multiple security tools to secure various stages of the SDLC. Their platform supports popular open-source tools for SAST, SCA, secret detection, cloud scanning, and DAST. Jit addresses the software supply chain problem through a concept called Jit security plans. This approach takes into consideration the business goals and requirements when securing all aspects of the software supply chain. The company offers security plans that guide users in achieving specific business goals while ensuring certification readiness. These include AWS Foundational Technical Review (FTR), Jit MVS for AppSec, and the OWASP Top 10 compliance framework for applications. Jit can help an engineering team comply with these frameworks from code to cloud.
Unlike solutions like Arnica, Jit allows users to use their own SAST and SCA tools. Jit assists with integrating and orchestrating these tools throughout the development lifecycle. Another unique aspect of Jit is its breadth and openness. Jit collaborates with other SSC and ASPM vendors in an open manner. Users can connect different security tools to the Jit platform, which then orchestrates and executes them primarily within GitHub. Users have the flexibility to add their own security tools by specifying the input, output, and execution methods.
Boost Security: Boost specializes in the orchestration of a variety of scanning tools, both commercial and open-source, tailored to analyze code bases efficiently. This includes the capability for rapid scans within pull request environments, aiming to alert developers and security professionals promptly with actionable insights. A standout feature is its Zero-Touch Provisioning (ZTP) system, designed to integrate tooling without compromising the speed or integrity of build pipelines. Moreover, Boost Security boasts a highly adaptable policy engine, minimizing the impact of false positives and focusing remediation efforts on significant findings. This comprehensive coverage extends across modern development requirements, including Infrastructure as Code (IaC), containerization, Static Application Security Testing (SAST), secret scanning, and Software Composition Analysis (SCA). The platform seamlessly integrates with existing tools (e.g., Sonatype, Checkmarx, Blackduck, Snyk) and utilizes numerous popular open-source tools.
Backslash security assists AppSec teams in reducing unnecessary alerts by replacing outdated tools in the SAST (Static Application Security Testing) and SCA (Software Composition Analysis) space. By uncovering real risks and attack paths through Reachability Analysis, Backslash provides clear and actionable indicators, thereby drastically reducing their application vulnerabilities.
Across these vendor spotlights, the goal is to highlight vendors that are distinct and only shed a spotlight on some of their capabilities. Across these vendors, we only shared a spotlight on vendors in malicious dependencies and real-time malware detection, vendors leveraging Open-Source GUAC Framework In SSCS Artifact Data Collection, and vendors in orchestration/pipeline posture management. Obviously, many of these vendors have many more solutions which were highlighted above. The others capabilities will be showcased in part 2 series.
Summary
The report has comprehensively explored the critical area of Software Supply Chain Security (SSCS). It underscores the SSCS market's rapid growth and its paramount importance to software development and AppSec teams. The core of the discussion revolves around managing the software threats exploiting vulnerabilities in widely used libraries, emphasizing the need for enhanced visibility and security in the software supply chain.
The analysis highlights emerging trends, including the nuanced dynamics of open-source project consumption and the persistent security challenges within the OSS community. It also addresses regulatory focus on software supply chain security, the integration of AI in software development, and the notable statistics on the prevalence of software supply chain attacks.
Customers are realizing that software supply chain has many challenges from insecure coding practices to compromised third-party dependencies to developer account compromise, and that a multi-faceted approach to SSCS involves automated testing, code signing, and robust monitoring.
The report details solution approaches and frameworks like SLSA and SSDF, alongside innovative tools like GUAC and sigstore, aimed at bolstering supply chain security practices. It also provides insights into how vendors like Kusari, Xygeni, and Scribe Security are differentiating their offerings to tackle specific SSCS challenges effectively.
In conclusion, we emphasize the urgent need for ongoing innovation, rigorous security measures, and adherence to regulatory standards to mitigate the evolving threats within the software supply chain, highlighting the collaborative effort required across the industry to safeguard software ecosystems.
If you made it this far, thank you for reading and supporting the newsletter!
Where is Notation and Ratify fit into this?