The new capability enables security teams to comply with the two leading standards—NIST SSDF and OpenSSF’s SLSA framework
Scribe Security, a software supply chain security solution provider, announced today the release of a new capability within its SaaS Trust Hub designed to help organizations better understand and comply with the NIST SP 800-218 (SSDF) and SLSA frameworks—two emerging standards for software supply chain. Scribe users (currently on GitHub and soon on additional SCMs) can now, not only apply a policy over attestations to ensure secure development and build processes or validate that tampering hasn’t taken place, but also gauge compliance with the SSDF—the basis for the new U.S. cyber regulation and the SLSA framework, developed by Google and adopted by the OpenSSF.
In recent years, high-profile software supply chain attacks have caused significant damage to organizations. These attacks have highlighted the need for better security practices to address the software supply chain risk. Consequently, the U.S. government pushed the market to develop new best standards and adopted new cyber regulations. This is how SLSA and SSDF came to be.
Emerging standards such as SSDF and SLSA provide guidance on how to secure the software supply chain. These standards cover a wide range of areas, including vulnerability management, code integrity, and provenance validation, incident response, and enforcement of secure SDLC processes. However, implementing them can be a daunting task, particularly for organizations with limited resources. Furthermore, the need to demonstrate in an unequivocal manner compliance to these standards in response to the new federal regulation or customers’ requirements is far from trivial. With the new release, Scribe’s platform makes compliance with these standards achievable, easily, and with few resources.
“Working with Scribe’s platform, users can now easily verify that their build complies with the SLSA level 3 requirements,” said Danny Nebenzahl, Scribe Security Co-founder, and CTO. “This new capability allows users to Create SLSA provenance as part of each of their builds’ pipeline, see exactly which SLSA requirement has passed or failed, and quickly address any issues and bring the build into compliance. They can then easily share the collected evidence with relevant stakeholders, confidently demonstrating their build or product compliance.”
Unlike other tools, Scribe Trust Hub evaluates the entire policy rather than just producing a provenance document. This allows producers to collect relevant SLSA information about their pipelines, in the form of a series of policies. They can choose to enact these policies on their pipeline and check whether the policy has passed or failed. If all policies have passed that is equivalent to conforming to SLSA level 3.
The SSDF, as opposed to SLSA, is not a checklist you should follow but instead provides guidance for planning and implementing a risk-based approach to secure software development. It aims to reduce the volume and impact of vulnerabilities that occur across the entire SDLC. This includes promoting transparency and using an evidence-based strategy to protect software from any tampering by unauthorized users.
“Scribe Trust Hub is an innovative solution, the first one to focus on the PS (Protect the Software) group of practices within the SSDF,” said Rubi Arbel, Scribe Security Co-founder, and CEO. “We conduct a rule-based evaluation to determine the protection level of the source code based on the well-known CIS Software Supply Chain Security benchmark combined with some elements from SLSA.”
All users of Scribe Trust Hub can now, with this new capability, automate compliance validation with the two leading frameworks—SLSA and the SSDF. On top of that, in the specific areas where they do not comply, Scribe provides a set of actionable recommendations to close the gaps. This solves a huge problem for software producers who need to comply by 2024 with the new U.S.-led regulation based on the SSDF.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!