VALENCIA, Spain — Unless you’ve been hiding out under a rock, you know securing the software supply chain has become security’s job number one. From SolarWinds, Codecov, and Kaseya, to name but a few, the last few years were bad ones for software supply chain security. As a result, there have been many documents and frameworks laying out the best practices for securing the supply chain.
There was only one little problem: How do you take all these policy suggestions and turn them into a plan for concrete action. The cloud native security company Jetstack has an answer: The Jetstack software supply chain toolkit.
This web-based interactive program takes the recommendations from the following seminal software supply chain security documents:
- CNCF ‘Software Supply Chain Best Practices’ whitepaper
- The Linux Foundation SLSA (Supply-chain Levels for Software Artifacts)
- NIST Guidance on Executive Order 14028 Improving Software Supply Chain Security
- Venafi blueprint for building secure software development pipelines
And turns them into actionable suggestions.
Specifically, it breaks these down into four key areas: Build pipelines, source code, provenance, and deployment. It then takes these recommendations and adds insights on priority and complexity along with links to the original open source toolsets that can help with that specific recommendation.
Does that sound too simple for you? That this is something you could do yourself? Well, yes you could? But when are you going to do it? Are you security-savvy enough to do it right? Are you sure?
A Range of Controls
As Steve Judd, Jetstack’s senior solutions architect and the toolkit developer said, “Solving these challenges requires going through a whole range of controls that go well beyond a software bill of materials (SBOMs), which is just one of the 54 recommendations.” Jetstack is doing the cloud native community a world of good by offering this service.
As Jetstack CTO and founder, Matt Barker told me at KubeCon Europe, “It lets you take these recommendations and make them actionable. It also prioritizes them by which ones should take the higher priority with the lowest effort to fix.”
“With this,” Barker continued, “you can get started on securing your supply chain. You can get on the ladder. It takes a huge effort to really secure your software supply chain but with this, you can do something today.”
He’s right. You can. And the sooner you get started on it, the better. Just ask Solarwinds if you doubt this.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Kaseya.
CNCF and The Linux Foundation are sponsors of The New Stack.