Aqua Security released the
industry's first formal guidelines for software supply chain security.
Developed through collaboration between the two organizations, the CIS
Software Supply Chain Security Guide provides more than 100 foundational recommendations that
can be applied across a variety of commonly used technologies and platforms. In
addition, Aqua Security unveiled a new open source tool, Chain-Bench, which is the first and only tool for auditing the
software supply chain to ensure compliance with the new CIS guidelines.
Establishing Best Practices
for Software Supply Chain Security
Although threats to the
software supply chain continue to increase, studies show
that security across development environments remains low. The new guidelines
establish general best practices that support key emerging standards like
Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework
(TUF) while adding foundational recommendations for setting and auditing
configurations on the Benchmark-supported platforms.
Within the guide,
recommendations span five categories of the software supply chain, including
Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment.
CIS intends to expand this
guidance into more specific CIS Benchmarks to create consistent security
recommendations across platforms. As with all CIS guidance, the guide will be
published and reviewed globally. Feedback will help ensure that future
platform-specific guidance is accurate and relevant.
"By publishing the CIS Software
Supply Chain Security Guide, CIS and Aqua Security hope to build a vibrant community interested in
developing the platform-specific Benchmark guidance to come," said Phil White,
Benchmarks Development Team Manager for CIS. "Any subject matter experts that
develop or work with the technologies and platforms that make up the software
supply chain are encouraged to join the effort in building out additional
benchmarks. Their expertise will be valuable to establishing critical best
practices to advance software supply chain security for all."
To date, the guide has been
reviewed by experts at CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat,
and other leading technology firms.
Ofir Shapira, Cyber Security Product Manager, Axonius: "The
work Aqua is doing around software supply chain security, not only as a company
but for the wider community, is paving the way for more secure software releases."
Erez Dasa, Cyber & Application Security Architect,
leading digital payment organization: "Implementing these guidelines over
development processes gives us much more confidence in the security of
releases."
The Industry's First Open
Source Tool for Software Supply Chain Security
To support organizations
adopting the CIS guidance, Aqua released Chain-Bench. Chain-Bench scans the
DevOps stack from source code to deployment and simplifies compliance with
security regulations, standards, and internal policies to ensure teams can
consistently implement software security controls and best practices.
"Building software at scale
requires strong governance of the software supply chain, and strong governance
requires effective tools. This is where we saw an opportunity to add value,"
said Eylam Milner, Director Argon Technology, Aqua Security. "We wanted to
leverage our expertise in software supply chain security to help build critical
guidance for one of industry's most pressing challenges, as well as a free,
accessible tool to help other organizations adhere to it. The work doesn't stop
here. We will continue working with CIS to refine this guidance, so that
organizations worldwide can benefit from stronger security practices."
To learn more about the CIS
Software Supply Chain Security Guide, visit
the CIS WorkBench. To download Chain-Bench, visit
GitHub.