Recently, there has been a lot of attention to software supply chain security. In particular, here is a quote from the May 2021 presidential executive order On improving the country’s cyber security: “The federal government must … move towards an architecture of distrust; accelerate the movement to secure cloud services, including … platform as a service (PaaS).“
There are two essential parts to creating a truly reliable software supply chain; Securing the non-technical fields and securing the technical fields.
The non-technical aspects of a secure software supply chain include having people or teams focused on security and compliance review. internal company policiesSystems that act as a regulatory system and set standards for developers are essential, as are efforts to enforce compliance with security best practices. While this can bode well for large organizations, small software engineering teams and startups don’t have bandwidth, budget or culture to make that a reality.
Imagine robust security best practices
Open-source and strictly controlled tools that enable safe construction and deployment automation are the components that make up the technical aspects of the solution. Engineering teams must find a A way to visualize strong security best practices and find a way to implement them without undue impact on the developer’s workflow. This is the founding principle of DevSecOps Efforts within the larger community of software development professionals.