Secure Your Software Supply Chain Through Backstage
Software nowadays is rarely written from scratch. According to Forrester, the average software is composed of at least 75% open source code. Additionally, teams rely heavily on third-party code. Thus, the code you put into production comes from different sources and goes through various networks and actors to get there. This is known as the software supply chain.
Software supply chains have gained significant attention after severe attacks over the past few years. In the United States, the federal government has even issued software supply chain guidelines for state contractors.
As the Cloud Native Computing Foundation (CNCF) Security working group states, “Supply chains require more than one linked process, and supply chain security relies on the validation and verification of each process.” Therefore, to adopt security practices in each step of the development life cycle, companies usually adopt a DevSecOps approach.
Automation is a key aspect of securing a supply chain to reduce human error factors and to be able to deal with the sheer number of parameters involved. Thankfully, a wide range of tools can help you automate security checks through your software development life cycle.
However, you often need to integrate more than one tool into your security strategy. That’s when an internal developer portal like Backstage becomes crucial:
- You get to integrate a single pane of glass for security tooling in Backstage’s Catalog.
- You proactively embed secure supply chain practices into new code through Backstage’s Scaffolder.
- And you learn from the evolution of your organization’s security with Backstage’s Tech Insights.
A Single Pane of Glass for All Things Security
According to the CNCF, a crucial step of securing the supply chain is ensuring “that internal, first-party source code repositories … are protected and secured through commit signing, vulnerability scanning, contribution rules, and policy enforcement.” You’ll have to implement the measurements across different tools, like GitHub, SonarQube and Snyk.
You can set up your Backstage service view to integrate various tools to get a good overview of what’s going on and dive into details if needed.
Proactive Supply Chain Safeguards
Asking developers to take care of securing their own codebase pushes a larger cognitive load into them and creates a fragmented security practice across the organization.
Instead, you can offer secure-by-default templates for common service setups. Through Backstage’s Scaffolder, you can help teams ship apps and features with sane defaults and best practices baked in.
Backstage Scaffolder is not limited to providing best practices to new services only. You can offer self-service golden paths to existing projects to adopt your security tooling. For instance, you could define a template that opens a pull request against the dev’s repo for them to adopt Snyk in their Spring Boot app in a few clicks.
Understand Your Overall Security Evolution
When you have ownership sorted through the Catalog and are promoting best practices proactively through the Scaffolder, the next step is to understand your overall software supply chain security tooling.
Roadie’s open source Tech Insights plugin provides a framework to implement checks and scorecards to review security in your Backstage instance. A few enterprises Backstage adopters like HP and Lunar Bank have implemented their own solutions based on this plugin.
However, Backstage’s open source Tech Insights feature requires each team to design its own UI and implement its Data Sources and Checks, on top of managing integrations, security and databases.
The fully fledged version of Tech Insights — available only to Roadie customers — features more than 100 facts that you can check against across dozens of data sources like GitHub, Snyk and PagerDuty.
The financial technology company SumUp is using Roadie Tech Insights to promote and track adoption of supply chain security and code analysis tools like Dependabot, CodeQL and others across all of its production service repositories, according to Martin Froehlich, vice president of engineering.
Consolidate, Drive and Evolve Security
A Backstage-based developer portal can help you consolidate your tools in a centralized place to make it easier for developers and operators to shift security left. You can also drive security initiatives by simplifying the process through software templates. And you can track the evolution of your supply chain security and how practices are being adopted across your organization.