We've wrapped up our 9th All Day DevOps (ADDO) event, where we've learned from the industry's best and brightest about the latest tools and methodologies for securing the software supply chain. Hossam Barakat, Senior Cloud Architect at Amazon Web Services (AWS), led a session titled "Secure Your Application Supply Chain on AWS" that explored topics including Supply-chain Levels for Software Artifacts (SLSA), software bill of materials (SBOM), and how these tools can help build a secure pipeline.
The software supply chain begins when development starts and continues until the application is in the hands of the end user. Starting with committing source code to a repository, building the code in conjunction with various dependencies and libraries, and then producing a package. Open source has become an integral part of software development because it accelerates innovation. As much as 90% of modern software applications are comprised of open source software, and 29% of popular open projects contain known vulnerabilities. This means the software supply chain is vulnerable to compromised packages at every stage, increasing the urgency for security.
A new approach is required
Securing the SDLC process is an industry-wide challenge, and as a result, the modern DevSecOps process was born. This is the practice of integrating security testing at every stage of the software development process. The SLSA framework provides guidance on how to secure the SDLC pipeline. Barakat described several AWS tools that can be leveraged as managed services for your pipeline, including AWS CodeCommit, AWS CodeBuild, and AWS CodeDeploy.
In addition to the security of your pipeline, Barakat emphasized the importance of security within the pipeline, which is the security of the software as it goes through the delivery lifecycle. The focus should be on shifting left to shorten the feedback loop - the earlier these issues can be brought to the attention of the developer, the faster they can be fixed.
Software supply chains have become increasingly popular targets for attackers, and it's hard to know whether your software is at risk and how to protect it. As systems get more complex, it is critical to put best practices and checks in place to ensure artifact integrity. During this ADDO session, Hossam walked attendees through examples of this approach in action with all of these elements working together. You can watch the full presentation here and access all ADDO keynotes and technical sessions on demand.