At the recent KubeCon + CloudNativeCon North America event, the focus shifted towards enhancing cloud-native software supply chain security within existing workflows. This shift was prompted by the SolarWinds breach in 2020, where malicious actors exploited a software delivery pipeline to compromise widely used IT monitoring software. Despite the emergence of tools like software bills of materials (SBOMs), container image scanning, and code signing over the past few years, the market for software supply chain security remains fragmented and immature, lacking established best practices and standardized toolsets.
According to Katie Norton, an analyst at IDC, there is still a general lack of understanding and recognition of the software supply chain as a holistic system that encompasses the entire software production process. The industry’s focus has gradually shifted towards open source security and SBOMs, with increasing acknowledgment of CI/CD pipeline security as a core element of supply chain security.
At the event, engineers from Yelp Inc. shared insights on how they adapted vulnerability management practices to enhance the security of container images on their internal development platform. Recognizing containers as a common attack surface, the team developed a rubric to evaluate the security posture of individual containers and implemented automated pre-deployment checks to block and remediate containers with security vulnerabilities. The presentation highlighted the complexities involved in applying industry models for container security to specific organizational environments.
Adobe and Autodesk also showcased a reference architecture for securing the software supply chain from start to finish, focusing on the importance of attestation and provenance verification. Projects like in-toto have provided frameworks and mechanisms for attestation throughout the software delivery process, offering a standardized approach to verifying software artifacts.
The interplay and overlap of various upstream tools for software supply chain security were discussed, emphasizing the importance of cryptographic signing and attestation to enhance security. While tools like Witness and Archivista contribute to attestation mechanisms, challenges remain in integrating new data types seamlessly into existing workflows.
Despite initial enthusiasm following the SolarWinds breach, the enterprise market for software supply chain security has yet to coalesce into a cohesive ecosystem. Some vendors are pivoting their focus towards specific areas like container images, while others anticipate consolidation between security vendors and larger compliance and risk management providers. Regulatory compliance continues to be a significant driver for implementing supply chain security practices, with organizations looking to streamline compliance processes and integrate security solutions into their existing workflows.
Overall, while interest in software supply chain security is growing, many organizations are still in the early stages of adoption and implementation. Integrated supply chain capabilities within existing security platforms are becoming increasingly valuable, posing challenges for newer companies seeking to disrupt the market. As the industry continues to evolve, the need for standardized practices and tools to enhance software supply chain security remains a top priority.
Beth Pariseau, a senior news writer for TechTarget Editorial, contributed to this report. For more information on DevOps and software supply chain security, feel free to reach out to her via email or on Twitter.