Software supply chain security has always been an issue. Until recently, thanks to the Solarwinds software supply chain fiasco, we weren’t that aware of it. Things have changed and we now know it’s a big deal. So, when Codenotary announced new features in its Codenotary Cloud, a top end-to-end software supply chain security service it was worth paying attention to.
This builds on Codenotary Community Attestation Service, an open source notarization and verification service. This can work with continuous integration/continuous delivery (CI/CD) services to produce reliable software bills of materials (SBOM).
In this latest version, Codenotary’s vulnerability scanning is incorporated into the service. You can also integrate Codenotary Cloud with other vulnerability scanners. This enables you to present customers with a secure, tamper-proof software supply chain for your SBOMs. Other Codenotary Cloud trust enhancements enable programs covered by its protection to be used more easily in DevOps and Kubernetes deployments.
This tamper-proof SBOM for development artifacts source code, builds, repositories, Docker container images, and more. Each such artifact retains a cryptographically strong identity stored inside immudb, the open source immutable database. All of these can be verified at a rate of millions of checks per second
Lower Cost, Greater Compliance
Codenotary claims that this new and improved Codenotary Cloud greatly reduces the cost to quickly identify and remove unwanted artifacts by up to 80%. The company also states that it can satisfy the needs of businesses that require compliance with the U.S. Executive Order on Improving the Nation’s Cybersecurity.
“Our cloud service delivers simplicity combined with the industry’s most sophisticated capabilities for assuring a secure software supply chain,” said Moshe Bar, Codenotary co-founder and CEO. “It is immutable and tamper-proof providing users with full trust in the essential software they rely on to run their businesses. That is not trivial in today’s world where software supply chain attacks like log4j and SolarWinds have had far-reaching consequences.”
So, today, Codenotary Cloud can be integrated with many popular CI/CD systems. The DevOps attestation service runs on any cloud or host as a managed service or customers can host themselves. Pricing starts at $5,500 for a workgroup of 10 developers.
Is it worth checking out to see if it would work for you? I certainly think so. Securing code and being able to know what’s what in a program with a trustworthy SBOM is no longer just a nice feature, but a security essential for today’s IT users.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.
Featured image via Pixabay.