Jump to page content

Improving Software Supply Chain Security

Prof. Santiago Torres-Arias helps develop guidelines for improving software supply chain security.

Purdue ECE’s Santiago Torres-Arias, along with Ramaswamy Chandramouli from the National Institute of Standards and Technology (NIST) and Frederick Kautz of TestifySec, produced “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/ CD Pipelines.” This NIST publication provides actionable measures for integrating SSC security into DevSecOps CI/CD pipelines.

 

In today’s software development landscape, cloud- native applications have transformed how software is built, deployed, and maintained. Developed using agile methodologies within DevSecOps, these applications rely on the continuous integration/continuous delivery (CI/CD) pipeline. However, recent analyses of software attacks and vulnerabilities highlight the need to secure the entire software development lifecycle (SDLC), including the software supply chain (SSC).

The SSC includes all activities from initial development to deployment. The integrity of these activities is vital for overall software security, as threats can arise from malicious actors targeting vulnerabilities or from errors by legitimate actors due to lapses in diligence.

The new publication outlines strategies to strengthen CI/ CD pipeline security by integrating SSC measures. Aligned with the Secure Software Development Framework (SSDF), these strategies enhance preparedness to tackle SSC security challenges in cloud-native applications.

Key elements of the strategies include understanding cloud-native architecture, embracing DevSecOps principles, implementing CI/CD pipelines, integrating SSC security measures, and mapping strategies to SSDF practices. By adopting these strategies, organizations can enhance the security of their software supply chains and protect against emerging threats.