Software Supply Chain Compliance with Aqua’s Chain-Bench – The New Stack

/in


We can all agree today that we really need to know what’s what with your software supply chain. If you don’t know why I recommend you to look up the  SolarWinds security fiasco and the ongoing Log4Shell dumpster fire. But, what’s in a good, secure software chain anyway? The cloud native security company Aqua Security joined forces with the Center for Internet Security (CIS) to create the first formal software supply chain security guidelines: The CIS Software Supply Chain Security Guide.

The guidelines cover the security basics for five software supply chain categories. These include source code, build pipelines, dependencies, artifacts, and deployment. Specifically, for example, your public repositories must have a SECURITY.md file, all code changes must be tracked by a version control system, and third-party libraries must be verified. All of this is in support of general best practices that support key emerging security standards such as Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). Altogether there are over 100 security recommendations.

Community Effort

Besides the two authoring companies, the guide was reviewed by security experts from Axonius, PayPal, CyberArk, Red Hat and other leading technology companies. This is not a static document. Its creators are looking for feedback to ensure it remains accurate and relevant.

The long-term plan, according to CIS development team manager Phil White, is to “build a vibrant community interested in developing the platform-specific benchmark guidance to come.”

Chain-Bench

But let’s say you take these guidelines seriously and you incorporate them into your code. How do you tell if your program actually makes the grade? With Aqua Security’s Chain-Bench. This is an open source tool for auditing your software supply chain to ensure guideline compliance.

Licensed under the Apache 2.0 License, you can run Chain-Bench as a command-line tool or within a Docker container. It implements the CIS Software Supply Chain Benchmark as well as it can. You can find the current implemented checks under  AVD – Software Supply Chain CIS – 1.0. At this point, only a handful of guidelines are checked….

Source…