We can all agree today that we really need to know what’s what with your software supply chain. If you don’t know why I recommend you to look up the SolarWinds security fiasco and the ongoing Log4Shell dumpster fire. But, what’s in a good, secure software chain anyway? The cloud native security company Aqua Security joined forces with the Center for Internet Security (CIS) to create the first formal software supply chain security guidelines: The CIS Software Supply Chain Security Guide.
The guidelines cover the security basics for five software supply chain categories. These include source code, build pipelines, dependencies, artifacts, and deployment. Specifically, for example, your public repositories must have a SECURITY.md file, all code changes must be tracked by a version control system, and third-party libraries must be verified. All of this is in support of general best practices that support key emerging security standards such as Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). Altogether there are over 100 security recommendations.
Besides the two authoring companies, the guide was reviewed by security experts from Axonius, PayPal, CyberArk, Red Hat and other leading technology companies. This is not a static document. Its creators are looking for feedback to ensure it remains accurate and relevant.
The long-term plan, according to CIS development team manager Phil White, is to “build a vibrant community interested in developing the platform-specific benchmark guidance to come.”
But let’s say you take these guidelines seriously and you incorporate them into your code. How do you tell if your program actually makes the grade? With Aqua Security’s Chain-Bench. This is an open source tool for auditing your software supply chain to ensure guideline compliance.
Licensed under the Apache 2.0 License, you can run Chain-Bench as a command-line tool or within a Docker container. It implements the CIS Software Supply Chain Benchmark as well as it can. You can find the current implemented checks under AVD – Software Supply Chain CIS – 1.0. At this point, only a handful of guidelines are checked. Still, it’s being updated every night from the chain-bench
metadata.json files. It’s hoped it will soon be more comprehensive.
Chain-Bench’s point said, Eylam Milner, Aqua’s director of Argon Technology Security, is to “leverage our expertise in software supply chain security to help build critical guidance for one of the industry’s most pressing challenges, as well as a free, accessible tool to help other organizations adhere to it.”
Both the guidelines and the software are very much works in progress. But it’s a good start. With help from others who take securing software supply chains seriously, this could eventually set real standards for open source development security.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Aqua Security.