CIO Influence
CIO Influence News Networking Security

Anchore Demonstrates How to Further Software Supply Chain Security with Signed SBOMs and Security Reports

Anchore Demonstrates How to Further Software Supply Chain Security with Signed SBOMs and Security Reports
Demonstration workflow shows how organizations can use open source tools Syft, Grype, and Sigstore to share accurate data about the contents and security status of software

Anchore, a leader in software supply chain security, introduced a demonstration workflow that shows how software producers can create, sign, and share accurate software bill-of-material (SBOM) and security reports to help further the security of software supply chains. As the United States government implements the Executive Order on Improving the Nation’s Cybersecurity, federal agencies expect to require SBOMs from their software vendors. Commercial enterprises can also benefit from verifiable documents that attest to the contents and security status of the software they use.

The demonstration workflow leverages open source tools Syft, Grype, and Sigstore’s Cosign to create and share signed attestations about the security of software applications delivered in containers.

Recommended ITech News:  Research Finds IT Support Positively Transformed By Pandemic As Challenges Accelerate Innovation And Agility

The workflow details how software producers can:

  • Use Sigstore’s Cosign to sign a software container image
  • Use Syft to produce a comprehensive SBOM that details the contents of the container image and then use Sigstore to create a signed attestation for its validity
  • Use Grype to produce a vulnerability report for a container image and then use Sigstore to create a signed attestation for its validity
  • Deliver the signed container image, SBOM and vulnerability report to their software customer or user

Software users can then verify the software container image, SBOM, and vulnerability report for an accurate picture of both the contents and security status of the software they are using.

The demonstration workflow was developed in partnership with Sigstore and builds off the complementary capabilities of open source tools, Syft, Grype, and Sigstore’s Cosign. A detailed blog on how to implement this demonstration workflow is available here and sample code and documentation is available here.

Recommended ITech News: ADLINK Launches COM-HPC Server Modules With 80-Core Ampere Altra Arm-based SoCs For Embedded Applications

Why Software Supply Chain Security is Important
The need for a secure software supply chain increases in priority and urgency each day due to continued and persistent cyberattacks. The widespread use of DevOps processes to speed cloud-native software development has led to a concurrent rise in the use of software containers. An Anchore survey of 400+ large enterprises showed that 65% of respondents have a significant number of applications running in containers.

Containers make it easy to package software during development, but can bring in multiple open source software (OSS) dependencies as applications move through the DevOps pipeline, creating new security requirements. As a result, 63% of survey respondents plan to increase container use and 60% report improving supply chain security as a top initiative.

Anchore and Sigstore Cosign engineers are working in tandem to educate the open source community and raise industry awareness of software supply chain security and available tools to proactively secure the development pipeline. More information about SBOMs and the importance of container attestation for SBOM

Recommended ITech News:  Itential Delivers Dynamic Edge Enabled Applications for TM Forum Catalyst Project at Digital Transformation Series 2021

Related posts

Microsoft Lists TIE Kinetix Fully Integrated EDI Solution in AppSource

CIO Influence News Desk

Omnispace and Lacuna Announce Collaboration to Deliver Global LoRaWAN IoT Service

Security Journey Accelerated Secure Coding Training Platform Enhancements to Drive Development Team Engagement and Application Security

Business Wire

Leave a Comment