VALENCIA, Spain — It was a busy Kubecon Europe for improving software supply chain security. That’s a darn good thing because Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. To which I can only say: Optimists! Fortunately, security companies such as Codenotary are taking steps to protect the supply chain.
In its latest move, Codenotary has added free background vulnerability scanning service to its free and open source Community Attestation Service (CAS) code signing and attestation service to further secure open source supply chains. This new service uses hashes to identify known security vulnerabilities. Then if the scans find any it alerts you to the untrustworthy packages. CAS can then be used to “untrust” any problematic artifacts. This new scanning service is also continuously self-updating so it can help you stay ahead of would-be attackers.
In other words, Dennis Zimmer, Codenotary co-founder and CTO said, “Users of open source software — and that is pretty much everyone — have a free and easy way to ensure the security of their software supply chain which addresses a big and growing problem.”
All this rests on the foundation of the open source immutable database immudb. This is a ledger database that works on an append-only data platform. Like blockchain, it carries built-in cryptographic proof and verification for all entries, but it doesn’t organize them as chains. And, like a time-series database, it tracks changes in data by time-stamping all entries. It can operate both as a key-value store, and/or as a relational database. Providing cryptographic verification of each entry it’s great for verifying the origin of software code.
With this, developers can also attach a Software Bill of Materials (SBOM) for development artifacts. This can include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.
What that means for you is the scanning service’s data on problems itself is nigh unto impossible to hack. Immudb is also as quick as a flash. Moshe Bar, co-founder and CEO, claims that it can handle up to 10-million transactions per second. Now, with the release of immudb 1.3 Bar says it has 40% higher performance. In short, no matter how many projects and bugs you must track, the scanning service can keep up with your workflow.
With 1.3 you can also make queries on the key-value level by adding value revisions. So, for example, if you use it for storing data about your project, it’s easy to access historical values for keys such as getting the first version (e.g. revision 1) or another previous value (e.g. version 4).
If this database itself sounds like something you can use for your own projects, for the first time Codenotary is offering support plans. These are:
- Community: The free support plan that offers community members notifications of new releases and features.
- Project: At $3,000 a year, project subscribers are promised 12-hour response times and 5-day resolutions. They are also offered two hours of setup and training credits, as well as one hour of development support.
- Business: At $16,000 a year, business subscribers are promised eight-hour response times and three-day resolutions. They are also offered 12 hours of setup and training credits, as well as eight hours of development support. Managed services are also included in the business plan, including training, development, configuration, monitoring, and daily SBOM reference of the runtime.
So whether you simply want to use this new, fast tamper-proof scanner to your development pipeline or use its underlying database for other projects, Codenotary’s services and open source projects both demand your attention.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.