As shown by the recent number of high profile outages - Log4j or Solarwinds anyone? - every link in a software supply chain matters.
This online assessment toolkit is our attempt to give organisations the insights and advice they need to understand where the vulnerabilities in their chains exist and how to fix them. The toolkit consolidates the recommendations and guidance from several existing frameworks and whitepapers - including SLSA and the CNCF - and is presented in a form that offers clarity in an increasingly complex problem space.
Broken down into four key areas (Build Pipelines, Source Code, Provenance and Deployment), the toolkit grades potential action points based on their priority and complexity.
Securing the automated processes and tooling that you use to build and package your software components.
Ensuring the authenticity and integrity of the software code used within your applications.
Publishing the steps taken to build your software components.
Enabling consumers of your software to verify its integrity before deployment and usage.
An interactive guide on how to secure your third-party software
1. Select one of coloured circles listed on the toolkit (we recommend starting with high priority, low complexity items).
2. Read through the recommendation written on the card.
3. Open useful links in a new tab if you’d like to explore the topic in further detail.
4. Close the card or select a new circle to explore a new action point.
Recommendations are based on our own experiences and the existing work of the above.
Whilst the radar serves as an excellent starting point for someone who wants to secure their software supply chain - this is by no means an exhaustive list. The world of software supply chains is only just getting started. And whilst we will be making every effort we can to update and maintain the radar on a regular basis - this is a rapidly evolving problem area.
We thought long and hard as to how we can make the information contained within the radar not only actionable, but user friendly and palatable at the same time (kudos to the engineer who finally told us to check out the Thoughtworks Technology Radar). That said, there are still 52 potential action points for a person to work through.
As big exponents of open source, we’d love nothing more than for this page to serve as the strategic guidance people need to independently push through their own software supply chain projects.
However, if you’d like to work with the brains behind the radar (and the people who brought you the hugely popular cert-manager project), well, that’s where our super smart Field Engineers and Solution Architects come in.
We’d be more than happy to come into your organisation and tailor the recommendations described above to better reflect where you are on your own journey to secure third-party software.
As we work with more and more organisations on this topic, we hope to improve our own understanding and maturity around the topic. Insights we hope to be able to share through later editions of the supply chain radar.
If you’re interested in working with Jetstack and would like to book a software supply chain assessment with our team, please complete the form at the bottom of the page.
To book a software supply chain security assessment - or to ask us a question - simply complete the form on this page so a member of my team can reach out and talk about next steps.
Please add any specific questions you might have in the comments box so we can direct your query to the most qualified member of the team.
We look forward to speaking with you soon.
Enquire about SubscriptionContact us