Building policy-driven and compliant software supply chains
Join Sven Rajala, the international PKI Man of Mystery from Keyfactor, and Miguel Martínez, Co-founder at Chainloop, as they explore the evolving landscape of supply chain security.
The secure software supply chain is advancing quickly, but there are still challenges in effectively integrating and utilizing metadata, such as SBOMs and attestations. It is important to utilize tools that allow you to leverage your existing resources while maintaining a straightforward approach to trust. This will help simplify your efforts to remain secure and compliant in your software delivery pipelines.
Watch the KEYMASTER episode here:
Here are the key points discussed in this #KEYMASTER session:
The Shift in Supply Chain Security
- Modern software delivery now involves more stakeholders (compliance and security teams) bringing additional requirements for vulnerability and license management.
- Attestations play a critical role as standardized metadata to ensure software trustworthiness across the supply chain.
The Role of SBOMs
- SBOMs (Software Bill of Materials) provide detailed context about software packages, licenses, and dependencies.
- They are becoming increasingly significant due to regulatory requirements and help with compliance, vulnerability management, and transparency.
Understanding In-toto Attestations
- Defined as metadata in a standardized format, attestations capture information about software development steps, such as unit testing, Git commits, and build processes.
- Tools like Sigstore Cosign and Keyfactor EJBCA and SignServer ensure attestations are cryptographically signed for authenticity and integrity.
Challenges in Adoption
- While the building blocks like SBOMs and attestations are in place, the challenge lies in effectively consuming and using this data.
- Distribution and integration of metadata remain unsolved areas, though standards like SPDX and CycloneDX are helping progress.
Chainloop's Role
- Chainloop provides an "evidence store,” a centralized system for managing, signing, and analyzing metadata for secure software delivery.
- It aims to simplify adoption and standardization while adapting to evolving tools and standards.
- Chainloop and Keyfactor have collaborated to create a PKI attestation and signing solution for the community.
Read more about Software Supply Chain Security
