3. Certification and digital signature
Posted: Mon Feb 10, 2025 8:13 am
The end goal is “everything as code,” which can also be a strong defense against ransomware: organizations that can “simply” redeploy code and reduce their reliance on backups are resilient because attackers will have little or no way to threaten them.
Today's software supply chain is actually more like a web: developers write their own code, but they also pull it from numerous third-party sources, open source projects, registries, etc. How do they know in a DevSecOps environment that what they're putting into the codebase is safe?
Attestation is critical, and digital signature technology plays a key role in ensuring that a software artifact is verified to be what it claims to be. Perhaps more importantly, digital signatures provide proof that the artifact has not been altered in any way.
According to Luke Hinds, a lead security engineer in the Red Hat CTO’s Office, digital signatures are the answer to securing software supply chains. But he’s concerned that the open source environment isn’t czech republic mobile database to digital signature adoption (due to the added cost and performance hit). So he created a new open source project, sigstore, which currently has over 465 contributors and over 20 organizations. It promises to better align open source innovation with digital signature security, including a signature transparency log. sigstore is now under the auspices of the Linux Foundation, with support from Google and Red Hat.
4. Vulnerability/risk assessment
Today, we know a lot more about code than we used to, but simply knowing that the code you use has vulnerabilities is not enough to keep your organization secure. Nor is fixing all vulnerabilities. Why?
First, it’s impossible. As soon as you fix one vulnerability, someone else will find another. Also, not all vulnerabilities pose the same risk. The current state of vulnerability scanning requires organizations to work with huge, uncontextualized volumes of data generated by vulnerability scanners and other monitoring systems. Effective vulnerability management requires additional context to help organizations strategically respond to this data. Machine learning will play a role here, but there will never be a replacement for key players in an organization collaborating to categorize risk management based on requirements and business needs.
Today's software supply chain is actually more like a web: developers write their own code, but they also pull it from numerous third-party sources, open source projects, registries, etc. How do they know in a DevSecOps environment that what they're putting into the codebase is safe?
Attestation is critical, and digital signature technology plays a key role in ensuring that a software artifact is verified to be what it claims to be. Perhaps more importantly, digital signatures provide proof that the artifact has not been altered in any way.
According to Luke Hinds, a lead security engineer in the Red Hat CTO’s Office, digital signatures are the answer to securing software supply chains. But he’s concerned that the open source environment isn’t czech republic mobile database to digital signature adoption (due to the added cost and performance hit). So he created a new open source project, sigstore, which currently has over 465 contributors and over 20 organizations. It promises to better align open source innovation with digital signature security, including a signature transparency log. sigstore is now under the auspices of the Linux Foundation, with support from Google and Red Hat.
4. Vulnerability/risk assessment
Today, we know a lot more about code than we used to, but simply knowing that the code you use has vulnerabilities is not enough to keep your organization secure. Nor is fixing all vulnerabilities. Why?
First, it’s impossible. As soon as you fix one vulnerability, someone else will find another. Also, not all vulnerabilities pose the same risk. The current state of vulnerability scanning requires organizations to work with huge, uncontextualized volumes of data generated by vulnerability scanners and other monitoring systems. Effective vulnerability management requires additional context to help organizations strategically respond to this data. Machine learning will play a role here, but there will never be a replacement for key players in an organization collaborating to categorize risk management based on requirements and business needs.