Home Tech Updates Aqua Security, CIS creates security guide for software supply chain

Aqua Security, CIS creates security guide for software supply chain

by Helen J. Wolf
0 comment

Aqua Security and the Center for Internet Security (CIS) have jointly released the industry’s first formal guidelines for securing software supply chains.

Developed through a collaboration between the two organizations, the CIS Software Supply Chain Security Guide provides more than 100 fundamental recommendations that can be applied to various commonly used technologies and platforms.

In addition, Aqua Security unveiled a new open-source tool, Chain-Bench, the first and only software supply chain auditing tool to ensure compliance with the new CIS guidelines.

While threats to the software supply chain continue to increase, studies show that security in development environments remains low. The new guidelines establish common best practices that support key emerging standards such as Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF) while adding fundamental recommendations for setting and auditing configurations on the Benchmark-supported platforms.

Aqua Security

Within the guide, recommendations span five categories of the software supply chain, including source code, building pipelines, dependencies, artifacts, and implementation.

CIS plans to extend these guidelines to more specific CIS benchmarks to create consistent security recommendations across platforms. TFeedback helps ensure future platform-specific guidelines are accurate and relevant. He will be published and reviewed worldwide, as with all CIS guidelines.

“By publishing the CIS Software Supply Chain Security Guide, CIS, and Aqua Security hope to build a vibrant community interested in developing the platform-specific Benchmark guidelines to come,” said Phil White, benchmarks development team manager for CIS.

“All subject matter experts who develop or work with the technologies and platforms that make up the software supply chain are encouraged to participate in developing additional benchmarks,” he says.

“Their expertise will be valuable in establishing critical best practices to improve software supply chain security for everyone.”

Experts from CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and other leading technology companies have reviewed the guide.

To support organizations applying the CIS guidelines, Aqua has released Chain-Bench. Chain-Bench scans the DevOps stack from source code to implementation and simplifies compliance with security regulations, standards, and internal policies to ensure teams can consistently implement software security controls and best practices.

“Building software at scale requires strong software supply chain management, and strong governance requires effective tools. This is where we saw an opportunity to add value,” said Eylam Milner, director of Argon Technology, Aqua Security.

“We wanted to use our software supply chain security expertise o develop critical guidance for one of the industry’s most pressing challenges, as well as a free, accessible tool to help other organizations comply,” he says.

“The work doesn’t stop here. We will continue tworkingwith CIS to refine these guidelines so trganizations worldwide can take advantage of stronger security practices.”

You may also like