From software signing, to container images, to a new Linux distro, an emerging OSS stack is giving developers guardrails for managing the integrity of

Software supply chain security gets its first Linux distro, Wolfi

submited by
Style Pass
2022-09-22 14:00:10

From software signing, to container images, to a new Linux distro, an emerging OSS stack is giving developers guardrails for managing the integrity of build systems and software artifacts.

SolarWinds and Log4j were the five alarm fires that woke the industry up to the  insecurity of our software artifacts and build systems — the so-called “software supply chain security” problem. But it’s been a murky landscape to navigate for the developers and security engineering teams that are trying to figure out the actual steps to lock down their build environments.

The White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity foretold the arrival of Software Bills of Materials, essentially a list of ingredients of what’s inside a software package that will establish attestation and disclosure processes that must be met for government technology procurement.

Despite all the security vendors’ best efforts to whitewash their products around software supply chain security, it’s still unclear exactly how anyone is supposed to build or maintain these SBOMs. Recent memos out to the heads of federal agencies merely underscore the “importance of secure software development environments” without much useful elaboration on how to get there.

Leave a Comment