Security News > 2022 > April > Developer workflow for software supply-chain security is in high demand

Today we're seeing another massive security challenge ahead for developers, where nothing is easy or automatic: software supply-chain security.

Lorenc met Chainguard co-founder Kim Lewandowski at Google, and they have both been approaching the software supply chain security problem through a series of open source projects that they co-created and co-maintain.

"The software development and deployment supply chain is quite complicated, with numerous threats along the source build publish workflow," said Lewandowski, in a blog post describing the general lack of a toolchain for developers locking down software artifacts.

Supply Chain Levels for Software Artifacts, Sigstore, Tekton and their other open-source projects focus on various layers of an ultimate vision of zero trust security for software supply chain security-where every artifact can be verifiably traced back to the source code and hardware it was built on, and by whom.

"Software supply chain security is pretty unique," Lorenc said.

"You've got a whole lot of different types of attacks that can target a whole lot of different points in the software life cycle. You can't just take one piece of security software, turn it on and get protected from everything. I think we're going to see a pattern of a bunch of different open source frameworks like SLSA and SSDF being leveraged together to keep evolving how we lock down software supply chain security."

News URL

https://www.techrepublic.com/article/developer-workflow-software-supply-chain-security-high-demand/