Use open source to secure software supply chains
Recently, a lot of attention has been paid to software supply chain security. In particular, here is a quote from the presidential election of May 2021 Executive Decree on improving the country’s cybersecurity: “The federal government must…move towards a zero-trust architecture; accelerating the movement towards secure cloud services, including… platform as a service (PaaS).”
Two parts are needed to create a truly reliable software supply chain; securing non-technical areas and securing technical areas.
The non-technical aspects of any secure software supply chain involve individuals or teams focusing on security and compliance audits. Internal company policySystems that act as a regulatory system and set standards for developers are a must, as are efforts to enforce security best practices. While this may bode well for large organizations, small software engineering teams and startups have no bandwidth, budget or culture to make it a reality.
Consider robust security best practices
Open source tools, strictly governed and enabling automation of secure build and deployment are the components that form the technical aspects of the solution. Engineering teams need to find a way to consider robust security best practices and find a way to enforce them without unduly affecting developer workflow. It is a founding principle of the DevSecOps efforts within the broader community of software development professionals.