How to Safeguard the Software Supply Chain
Agile development teams may able to meet software release and update cadences at faster and faster rates — but ultimately, their deployments are only as good as the underlying code. Applications that lack robustness or have vulnerabilities that are discovered until only after its too late can defeat the whole purpose of Agile DevOps. The hard truth is that policies and practices must involve testing and monitoring from the outset of code development while extending throughout the entire CI/CD lifecycle.
The theme of this edition of The New Stack Makers podcast recorded live at Palo Alto Networks’ studio in Santa Clara, CA, is how to protect software throughout the entire supply chain. The guests were:
- Dr. Chenxi Wang, a managing general partner for Rain Capital, a keynote speaker and a “Forbes” contributor.
- Rochelle Mattern, a Google Cloud customer engineer at Google.
- Gareth Rushgrove, a director of product management at Snyk.
The New Stack Publisher Alex Williams hosted this episode.
Protecting the software supply chain also largely hinges on the idea of “rugged software.” Indeed, the term has been in use for a while and helps to describe what supply chain software processes should be in the context of CI/CD. In this way, it largely applies to software that “has a particular process that goes into development so that it really could go anywhere and could do anything,” Wang said. “Today, it means a lot of taking on sort of new modern development practices like CI/CD, which all could be roped into the ‘rugged’ umbrella.”
The concept of “rugged software” is “like you can take [software] anywhere, you can beat it up and it keeps running,” Rushgrove said. “And so whether it’s things that are just resilient to the reality of running software,” Rushgrove said. “And so the term comes up a lot in operational circles. ”
The key is to create software that must be portable in “any type of environment,” Mattern said. “And when I think about that I think about Kubernetes. Kubernetes and containers are one mechanism that folks are going towards to make that happen,” Mattern said. “And the CI/CD process to release container-based software is also evolving. And one of the ways that we at Google Cloud are approaching is trying to shift left and bring security into the CI/CD platform and essentially building security into the release and deployment cycle of Kubernetes-based software. So, essentially like ensuring that each of the checkpoints that you go through as you release your software includes security checks… You can feel comfortable that your software is secure and that it has passed the tracks that your company has agreed are the security standards or the software standards that you have developed.”
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event, for a full day of discussions about cloud native security — brought to you online wherever you may be.