Mandating a Zero-Trust Approach for Software Supply Chains

2021-10-13 13:22

CISO at JupiterOne, discusses software bills of materials and the need for a shift in thinking about securing software supply chains.

In the wake of the SolarWinds attack last year, President Biden issued an executive order in May advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks.

For reference, SBOMs are machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software.

SBOMs provide a stepping stone towards achieving this transparency and allow us to start moving towards a zero-trust approach for software supply chains.

Regardless of whether or not they are willing to actually show me the SBOM, simply knowing that they can easily produce an SBOM gives me confidence that their software development practices are modern or mature enough to counter a wide range of common issues related to vulnerable or poorly maintained software.

For this reason, I am encouraged by Google's proposed Supply-Chain Levels for Software Artifacts framework that moves us towards a common language that increases the transparency and integrity of our software supply chain.

News URL

https://threatpost.com/mandate-zero-trust-software-supply-chains/175333/

#supplychain #zerotrust