Will real-time data processing replace batch processing?
At Confluent's user conference, Kafka co-creator Jay Kreps argued that stream processing would eventually supplant traditional methods of batch processing altogether.
Absolutely: Businesses operate in real-time and are looking to move their IT systems to real-time capabilities.
Eventually: Enterprises will adopt technology slowly, so batch processing will be around for several more years.
No way: Stream processing is a niche, and there will always be cases where batch processing is the only option.
Operations / Platform Engineering / Security

Secure Your Software Supply Chain Through Backstage

An internal developer portal can help you consolidate and evolve your security strategy.
Aug 7th, 2023 11:45am by
Featued image for: Secure Your Software Supply Chain Through Backstage
Image from Alberto Andrei Rosu on Shutterstock.

Software nowadays is rarely written from scratch. According to Forrester, the average software is composed of at least 75% open source code. Additionally, teams rely heavily on third-party code. Thus, the code you put into production comes from different sources and goes through various networks and actors to get there. This is known as the software supply chain.

Software supply chains have gained significant attention after severe attacks over the past few years. In the United States, the federal government has even issued software supply chain guidelines for state contractors.

As the Cloud Native Computing Foundation (CNCF) Security working group states, “Supply chains require more than one linked process, and supply chain security relies on the validation and verification of each process.” Therefore, to adopt security practices in each step of the development life cycle, companies usually adopt a DevSecOps approach.

Automation is a key aspect of securing a supply chain to reduce human error factors and to be able to deal with the sheer number of parameters involved. Thankfully, a wide range of tools can help you automate security checks through your software development life cycle.

However, you often need to integrate more than one tool into your security strategy. That’s when an internal developer portal like Backstage becomes crucial:

  1. You get to integrate a single pane of glass for security tooling in Backstage’s Catalog.
  2. You proactively embed secure supply chain practices into new code through Backstage’s Scaffolder.
  3. And you learn from the evolution of your organization’s security with Backstage’s Tech Insights.

A Single Pane of Glass for All Things Security

According to the CNCF, a crucial step of securing the supply chain is ensuring “that internal, first-party source code repositories … are protected and secured through commit signing, vulnerability scanning, contribution rules, and policy enforcement.” You’ll have to implement the measurements across different tools, like GitHub, SonarQube and Snyk.

You can set up your Backstage service view to integrate various tools to get a good overview of what’s going on and dive into details if needed.

Proactive Supply Chain Safeguards

Asking developers to take care of securing their own codebase pushes a larger cognitive load into them and creates a fragmented security practice across the organization.

Instead, you can offer secure-by-default templates for common service setups. Through Backstage’s Scaffolder, you can help teams ship apps and features with sane defaults and best practices baked in.

Backstage Scaffolder is not limited to providing best practices to new services only. You can offer self-service golden paths to existing projects to adopt your security tooling. For instance, you could define a template that opens a pull request against the dev’s repo for them to adopt Snyk in their Spring Boot app in a few clicks.

Understand Your Overall Security Evolution

When you have ownership sorted through the Catalog and are promoting best practices proactively through the Scaffolder, the next step is to understand your overall software supply chain security tooling.

Roadie’s open source Tech Insights plugin provides a framework to implement checks and scorecards to review security in your Backstage instance. A few enterprises Backstage adopters like HP and Lunar Bank have implemented their own solutions based on this plugin.

However, Backstage’s open source Tech Insights feature requires each team to design its own UI and implement its Data Sources and Checks, on top of managing integrations, security and databases.

The fully fledged version of Tech Insights — available only to Roadie customers — features more than 100 facts that you can check against across dozens of data sources like GitHub, Snyk and PagerDuty.

The financial technology company SumUp is using Roadie Tech Insights to promote and track adoption of supply chain security and code analysis tools like Dependabot, CodeQL and others across all of its production service repositories, according to Martin Froehlich, vice president of engineering.

Consolidate, Drive and Evolve Security

A Backstage-based developer portal can help you consolidate your tools in a centralized place to make it easier for developers and operators to shift security left. You can also drive security initiatives by simplifying the process through software templates. And you can track the evolution of your supply chain security and how practices are being adopted across your organization.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.