Aqua Security and CIS release first formal guidelines for software supply chain security

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Today, Cloud Native Security Provider, Aqua Security and the Center for Internet Security (CIS) released the first formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides the enterprise with over 100 basic recommendations for protecting the supply chain against risky artists.

The new guidelines could break the software supply chain into five main areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment.

By codifying the guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations for minimizing open source software risks, as well as the Supply-Chain Level for Software Artifacts (SLSA) and the updated Framework (TU) To give. ))

Aqua Security today also announced the launch of a new open source tool called Chain-Bench, which can be used by an enterprise to audit the supply chain as per CISA guidelines.

Bringing supply chain security for all

Following its discovery in November last year, disruption caused by the Log 4 shell has been released as part of a broader movement to secure the open source supply chain.

Looking back, the widespread security vulnerabilities caused by vulnerabilities are the foremost concern over the reliability of open source software.

Now research shows that 95% of IT leaders say that Log4Shell was a wake-up call for cloud security, and 87% admit that they feel less confident about their cloud security today than before the event.

This lack of industry-wide confidence has led organizations, proprietary software vendors, and open source projects to collaborate to identify and mitigate security issues present in open source solutions.

The most significant collaboration in the industry took place at the Open Source Software Security Summit II earlier this year when the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in the implementation of supply chain security.

The role of aqua security and CIS in the open source security movement

The introduction of the CIS Software Supply Chain Security Guide by CIS and Aqua Security marks a new collaboration in the industry that sets out a range of codified standards for operating and auditing any open source tools that enterprises set in their environment.

It is important to note that this is not a separate partnership, with both Aqua Security and CIS looking for new approaches to reducing security issues in the software supply chain to work with other organizations.

“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing upcoming platform-specific benchmark guidance,” said Phil White, Benchmark’s development team manager for CIS.

“Experts in any field who develop or work with the technology and platforms that make up the software supply chain are encouraged to join in the effort to create additional benchmarks. This expertise will be invaluable in establishing critical best practices for advancing software supply chain security for all, ”White said.

Software supply chain security tools

The rise in concerns about open source security has led to a wave of solutions designed to address vulnerabilities in open source technology.

Snyk, for example, provides a developer security platform that, as code, can automatically scan for open source dependencies, vulnerabilities in containers and infrastructure.

Last year, Snyk reportedly raised $ 530 million and achieved a valuation of $ 8.5 billion.

Another provider adopts a similar approach, Sonatype, a software supply chain security tool that can offer code analysis, automatically identify risks in open source software so that organizations can reduce risks in an open source supply chain.

Sonatype announced earlier this year that it had raised $ 100 million in annual recurring revenue.
Legit Security, on the other hand, is helping to secure the supply chain with vulnerability scanning, using automated SDLC detection to create a visual inventory of software assets, to uncover unfamiliar, misaligned and sensitive components of the network. Earlier this year, Legal Security announced that it had raised 30 million.

Aqua Security and CIS Software Issue First Formal Guide to Supply Chain Security

Today, Cloud Native Security Provider, Aqua Security and the Center for Internet Security (CIS) released the first formal guidelines for software supply chain security. The new CIS Software Supply Chain Security Guide provides the enterprise with over 100 basic recommendations for protecting the supply chain against hazardous artists.

The new guidelines could break the software supply chain into five main areas; Source Code, Build Pipelines, Dependencies, Artifacts and Deployment.

By codifying the guidelines for each category, Aqua Security and CIS aim to establish industry-wide best practices and recommendations for minimizing open source software risks, and to incorporate supply-chain level for software artifacts (SLSA) and updated framework (TF) To give. )).

Aqua Security today also announced the launch of a new open source tool called Chain-Bench, which can be used by an enterprise to audit the supply chain as per CISA guidelines.

Bringing supply chain security for all

Following the disruption caused by the Log 4 shell since its discovery in November last year, it has been released as part of a broader movement to secure the open source supply chain.

Looking back, the widespread security vulnerabilities caused by vulnerabilities are the foremost concern over the reliability of open source software.

Now research shows that 95% of IT leaders say that Log4Shell was a wake-up call for cloud security, and 87% admit that they feel less confident about their cloud security today than before the event.

This lack of industry-wide confidence has led organizations, proprietary software vendors, and open source projects to collaborate to identify and mitigate security issues present in open source solutions.

The most significant collaboration in the industry took place at the Open Source Software Security Summit II earlier this year when the Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together 37 companies to invest in the implementation of supply chain security.

The role of Aqua Security and CIS in the open source security movement

The introduction of the CIS Software Supply Chain Security Guide by CIS and Aqua Security marks a new collaboration in the industry that sets out a range of codified standards for managing and auditing any open source tools that enterprises deploy in their environment.

It is important to note that this is not a separate partnership, with both Aqua Security and CIS looking for new approaches to reducing security issues in the software supply chain to work with other organizations.

“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in developing upcoming platform-specific benchmark guidance,” said Phil White, Benchmark’s development team manager for CIS.

“Experts in any field who develop or work with the technology and platforms that make up the software supply chain are encouraged to join in the effort to create additional benchmarks. These skills will be invaluable in establishing critical best practices for advancing software supply chain security for all, ”White said.

The rise in concerns about open source security has led to a wave of solutions designed to address vulnerabilities in open source technology.

Snyk, for example, provides a developer security platform that, as code, can automatically scan for open source dependencies, vulnerabilities in containers and infrastructure.

Last year, Snyk reportedly raised $ 530 million and achieved a valuation of $ 8.5 billion.

Another provider adopts a similar approach, Sonatype, a software supply chain security tool that can offer code analysis, automatically identify risks in open source software so that organizations can reduce risks in an open source supply chain.

Sonatype announced earlier this year that it had raised $ 100 million in annual recurring revenue.
Legit Security, on the other hand, is helping to secure the supply chain with vulnerability scanning using automated SDLC detection, to create a visual inventory of software assets to uncover unfamiliar, misaligned and sensitive components of the network. Earlier this year, Legal Security announced that it had raised 30 million.

Venturebeat’s mission Digital Town Square is about to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.