Aqua Security and CIS release first formal guidelines for software supply chain security
Tim Keary
6 min read
We look forward to presenting Transform 2022 in person again on July 19th and virtually from July 20th to 28th. Join us for insightful conversations and exciting networking opportunities. Register today!
Today, cloud-native security provider Aqua Security and the Center for Internet Security (CIS) released the first-ever formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides organizations with over 100 essential recommendations for protecting the supply chain from threat actors.
The new guidelines may divide the software supply chain into five key areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment.
By codifying guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations to mitigate open source software risk and support emerging standards including Supply-Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). ).
Aqua Security also announced today the launch of a new open source tool called Chain-Bench, which enables companies to audit the supply chain in accordance with CISA guidelines.
Supply chain security for all
The release comes as part of a broader movement to secure the open source supply chain in the wake of the disruption Log4Shell has caused since its discovery last November.
In retrospect, the widespread vulnerabilities caused by the vulnerability have brought concerns about the reliability of open source software to the fore.
Now, research shows that 95% of IT leaders say Log4Shell was a cloud security wake-up call, and 87% admit they have less confidence in their cloud security today than they did before the incident.
This industry-wide lack of trust has prompted companies, proprietary software vendors, and open source projects to work together to identify and mitigate the security issues in open source solutions.
One of the most notable collaborations in the industry occurred earlier this year at the Open Source Software Security Summit II, when the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in supply chain security implementations.
The role of Aqua Security and CIS in the open source security movement
The release of the CIS Software Supply Chain Security Guide by CIS and Aqua Security marks a new industry collaboration to establish a codified set of standards for managing and auditing all open source tools that organizations deploy in their environments.
It’s important to note that this isn’t an isolated partnership either, as Aqua Security and CIS are both looking for other organizations to work with to discover new approaches to mitigating security issues in the software supply chain.
“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific benchmark guides,” said Phil White, Benchmark Development Team Manager for CIS.
“All subject matter experts who develop or work with the technologies and platforms that make up the software supply chain are encouraged to participate in efforts to build additional benchmarks. This expertise will be valuable in establishing critical best practices to improve software supply chain security for all,” said White.
Security tools for the software supply chain
Increasing concern about open source security has led to a wave of solutions being developed to address vulnerabilities in open source technologies.
For example, Snyk provides a security platform for developers that can automatically scan for vulnerabilities in code, open source dependencies, containers, and infrastructure as code.
Last year, Snyk reportedly raised $530 million and reached a valuation of $8.5 billion.
Another vendor taking a similar approach is Sonatype, a software supply chain security tool that can provide code analysis and automatically identify risks in open source software so organizations can mitigate risks in the open source supply chain.
Earlier this year, Sonatype announced that it had generated $100 million in annual recurring revenue.
On the other hand, Legit Security helps secure the supply chain through vulnerability scanning with automated SDLC detection to create a visual inventory of software assets to uncover unknown, misconfigured and vulnerable components of the network. Earlier this year, Legit Security announced it had raised $30 million in funding.
Aqua Security and CIS release first formal guidelines for software supply chain security
Today, cloud-native security provider Aqua Security and the Center for Internet Security (CIS) released the first-ever formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides organizations with over 100 essential recommendations for protecting the supply chain from threat actors.
The new guidelines may divide the software supply chain into five key areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment.
By codifying guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations to mitigate open source software risk and support emerging standards including Supply-Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). ).
Aqua Security also announced today the launch of a new open source tool called Chain-Bench, which enables companies to audit the supply chain in accordance with CISA guidelines.
Supply chain security for all
The release comes as part of a broader movement to secure the open source supply chain in the wake of the disruption Log4Shell has caused since its discovery last November.
In retrospect, the widespread vulnerabilities caused by the vulnerability have brought concerns about the reliability of open source software to the fore.
Now, research shows that 95% of IT leaders say Log4Shell was a cloud security wake-up call, and 87% admit they have less confidence in their cloud security today than they did before the incident.
This industry-wide lack of trust has prompted companies, proprietary software vendors, and open source projects to work together to identify and mitigate the security issues in open source solutions.
One of the most notable collaborations in the industry occurred earlier this year at the Open Source Software Security Summit II, when the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in supply chain security implementations.
The role of Aqua Security and CIS in the open source security movement
The release of the CIS Software Supply Chain Security Guide by CIS and Aqua Security marks a new industry collaboration to establish a codified set of standards for managing and auditing all open source tools that organizations deploy in their environments.
It’s important to note that this isn’t an isolated partnership either, as Aqua Security and CIS are both looking for other organizations to work with to discover new approaches to mitigating security issues in the software supply chain.
“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing the platform-specific benchmark guides,” said Phil White, Benchmark Development Team Manager for CIS.
“All subject matter experts who develop or work with the technologies and platforms that make up the software supply chain are encouraged to participate in efforts to build additional benchmarks. This expertise will be valuable in establishing critical best practices to improve software supply chain security for all,” said White.
Increasing concern about open source security has led to a wave of solutions being developed to address vulnerabilities in open source technologies.
For example, Snyk provides a security platform for developers that can automatically scan for vulnerabilities in code, open source dependencies, containers, and infrastructure as code.
Last year, Snyk reportedly raised $530 million and reached a valuation of $8.5 billion.
Another vendor taking a similar approach is Sonatype, a software supply chain security tool that can provide code analysis and automatically identify risks in open source software so organizations can mitigate risks in the open source supply chain.
Earlier this year, Sonatype announced that it had generated $100 million in annual recurring revenue.
On the other hand, Legit Security helps secure the supply chain through vulnerability scanning with automated SDLC detection to create a visual inventory of software assets to uncover unknown, misconfigured and vulnerable components of the network. Earlier this year, Legit Security announced it had raised $30 million in funding.
VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. Learn more about membership.
